Manula de UTM Sophos

8/21/2019 Manula de UTM Sophos

http://slidepdf.com/reader/full/manula-de-utm-sophos 1/631

Sophos UTMadministration guide

Product version: 9.207

Document date: Wednesday, October 01, 2014



The specifications and information in this document are subject to change without notice. Companies,

names, and data used in examples herein are fictitiousunless otherwise noted. This document maynot

be copied or distributed by any means, in whole or in part, for any reason, without the express written

permission of Sophos Limited. Translations of this original manual must be marked as follows: "Trans-

lation of the original manual".

© 2014 Sophos Limited. All rights reserved.

http://www.sophos.com

Sophos UTM, Sophos UTM Manager, Astaro Security Gateway, Astaro Command Center, Astaro

Gateway Manager, and WebAdmin are trademarks of Sophos Limited. Cisco isa registered trademark

of Cisco Systems Inc. iOS is a trademark of Apple Inc. Linux is a trademark of LinusTorvalds. All further

trademarksare the propertyof their respective owners.

Limited WarrantyNo guarantee is given for the correctness of the information contained in this document. Please send

any comments or corrections to [email protected].

http://www.sophos.com/

http://www.sophos.com/



Contents

1 Installation 15

1.1 Recommended Reading 15

1.2 System Requirements 15

1.2.1 UPS Device Support 16

1.2.2 RAID Support 17

1.3 Installation Instructions 17

1.3.1 Key Functions During Installation 17

1.3.2 Special Options During Installation 18

1.3.3 Installing Sophos UTM 18

1.4 Basic Configuration 21

1.5 Backup Restoration 27

2 WebAdmin 29

2.1 WebAdmin Menu 30

2.2 Button Bar 31

2.3 Lists 32

2.4 Searching in Lists 33

2.5 Dialog Boxes 34

2.6 Buttons and Icons 35

2.7 Object Lists 37

3 Dashboar d 39

3.1 Dashboard Settings 41

3.2 Flow Monitor 43

4 Management 47

4.1 System Settings 47

4.1.1 Organizational 48

4.1.2 Hostname 48

4.1.3 Time and Date 48

4.1.4 Shell Access 51

4.1.5 Scan Settings 52

4.1.6 Reset Configuration or Passwords 52

4.2 WebAdmin Settings 54

4.2.1 General 54

4.2.2 Access Control 55

4.2.3 HTTPS Certificate 56

4.2.4 User Preferences 574.2.5 Advanced 58



Contents

4.3 Licensing 61

4.3.1 How to Obtain a License 61

4.3.2 Licensing Model 62

4.3.3 Overview 67

4.3.4 Installation 67

4.3.5 Active IP Addresses 68

4.4 Up2Date 68

4.4.1 Overview 69

4.4.2 Configuration 71

4.4.3 Advanced 71

4.5 Backup/Restore 72

4.5.1 Backup/Restore 734.5.2 Automatic Backups 76

4.6 User Portal 77

4.6.1 Global 79

4.6.2 Advanced 80

4.7 Notifications 81

4.7.1 Global 81

4.7.2 Notifications 82

4.7.3 Advanced 82

4.8 Customization 834.8.1 Global 83

4.8.2 Web Messages 84

4.8.2.1 Modifying a Web Message 86

4.8.2.2 Download Manager 87

4.8.3 Web Templates 88

4.8.3.1 Customizing Web Templates 88

4.8.3.2 Uploading Custom Web Templates and Images 89

4.8.4 Email Messages 89

4.9 SNMP 90

4.9.1 Quer y 91

4.9.2 Traps 92

4.10 CentralManagement 94

4.10.1 Sophos UTM Manager 94

4.11 Sophos Mobile Control 97

4.11.1 General 97

4.11.2 Compliance Overview 98

4.11.3 Network Access Control 98

4.11.4 Configuration Settings 99

4.12 High Availability 1004.12.1 Hardware and Software Requirements 102

iv UTM 9 WebAdmin



4.12.2 Status 102

4.12.3 System Status 103


4.13 Shutdown and Restart 108

5 Definitions & Users 109

5.1 Network Definitions 109

5.1.1 Network Definitions 109

5.1.2 MAC Address Definitions 114

5.2 Service Definitions 115

5.3 Time Period Definitions 117

5.4 Users & Groups 118

5.4.1 Users 118

5.4.2 Groups 121

5.5 Client Authentication 123

5.6 Authentication Services 124

5.6.1 Global Settings 125

5.6.2 Servers 126

5.6.2.1 eDirectory 126

5.6.2.2 Active Directory 128

5.6.2.3 LDAP 131

5.6.2.4 RADIUS 133

5.6.2.5 TACACS+ 135

5.6.3 Single Sign-On 136

5.6.4 One-time Password 138

5.6.5 Advanced 144

6 Interfaces & Routing 147

6.1 Interfaces 147

6.1.1 Interfaces 148

6.1.1.1 Automatic Interface Network Definitions 148

6.1.1.2 Interface Types 149

6.1.1.3 Group 151

6.1.1.4 3G/UMTS 151

6.1.1.5 Ethernet Static 153

6.1.1.6 Ethernet VLAN 155

6.1.1.7 Ethernet DHCP 157

6.1.1.8 DSL (PPPoE) 159

6.1.1.9 DSL (PPPoA/PPTP) 161

6.1.1.10 Modem (PPP) 163

6.1.2 Additional Addresses 1656.1.3 Link Aggregation 166

UTM 9 WebAdmin v

Contents



Contents

6.1.4 Uplink Balancing 167

6.1.5 Multipath Rules 171

6.1.6 Hardware 173

6.2 Bridging 174

6.2.1 Status 175

6.2.2 Advanced 176

6.3 Quality of Service (QoS) 177

6.3.1 Status 177

6.3.2 Traffic Selectors 179

6.3.3 Bandwidth Pools 183

6.3.4 Download Throttling 184

6.3.5 Advanced 1856.4 Uplink Monitoring 186

6.4.1 Global 186

6.4.2 Actions 187

6.4.3 Advanced 188

6.5 IPv6 189

6.5.1 Global 190

6.5.2 Prefix Advertisements 191

6.5.3 Renumbering 192

6.5.4 6to4 1936.5.5 Tunnel Broker 193

6.6 Static Routing 195

6.6.1 Standard Static Routes 195

6.6.2 Policy Routes 196

6.7 Dynamic Routing (OSPF) 198

6.7.1 Global 198

6.7.2 Area 199


6.7.4 Message Digests 202

6.7.5 Debug 203

6.7.6 Advanced 203

6.8 Border Gateway Protocol 204

6.8.1 Global 205

6.8.2 Systems 205

6.8.3 Neighbor 206

6.8.4 Route Map 208

6.8.5 Filter List 210

6.8.6 Advanced 211

6.9 Multicast Routing (PIM-SM) 2126.9.1 Global 212

vi UTM 9 WebAdmin




6.9.3 RP Routers 214

6.9.4 Routes 214

6.9.5 Advanced 215

7 Network Services 217

7.1 DNS 217

7.1.1 Global 217

7.1.2 Forwarders 218

7.1.3 Request Routing 219

7.1.4 Static Entries 219

7.1.5 DynDNS 219

7.2 DHCP 222

7.2.1 Servers 223

7.2.2 Relay 225

7.2.3 Static Mappings 226

7.2.4 IPv4 Lease Table 226

7.2.5 IPv6 Lease Table 228

7.2.6 Options 229

7.3 NTP 232

8 Network Protection 2338.1Firewall 233

8.1.1 Rules 234

8.1.2 Country Blocking 237

8.1.3 Country Blocking Exceptions 238

8.1.4 ICMP 240

8.1.5 Advanced 242

8.2 NAT 244

8.2.1 Masquerading 244

8.2.2 NAT 245

8.3Advanced Threat Protection 249

8.3.1 Global 249

8.4 Intrusion Prevention 250

8.4.1 Global 251

8.4.2 Attack Patterns 252

8.4.3 Anti-DoS/Flooding 253

8.4.4 Anti-Portscan 255

8.4.5 Exceptions 256

8.4.6 Advanced 258

8.5 Server Load Balancing 2608.5.1 Balancing Rules 260

UTM 9 WebAdmin vii

Contents



Contents

8.6 VoIP 263

8.6.1 SIP 263

8.6.2 H.323 264

8.7 Advanced 265

8.7.1 Generic Proxy 265

8.7.2 SOCKS Proxy 266

8.7.3 IDENT Reverse Proxy 267

9 Web Protection 269

9.1 Web Filtering 270

9.1.1 Web Filtering Changes 270

9.1.1.1 Some Key Differences 271

9.1.1.2 Common Tasks 271

9.1.1.3 Migration 272

9.1.2 Global 273

9.1.3 Policies 278

9.1.3.1 Filter Action Wizard 279

9.1.3.2 Categories 279

9.1.3.3 Websites 280

9.1.3.4 Downloads 282

9.1.3.5 Antivirus 283

9.1.3.6 Additional Options 284

9.2 Web Filter Profiles 286

9.2.1 Filter Profiles 286

9.2.2 Filter Actions 291

9.2.3 Parent Proxies 292

9.3 Filtering Options 293


9.3.2 Websites 296

9.3.3 Bypass Users 296

9.3.4 Potentially Unwanted Applications 2979.3.5 Categories 297

9.3.6 HTTPS CAs 298

9.3.7 Misc 302

9.4 Policy Test 306

9.5 Application Control 307

9.5.1 Network Visibility 307

9.5.2 Application Control Rules 308

9.5.3 Advanced 310

9.6 FTP 3119.6.1 Global 311

viii UTM 9 WebAdmin



9.6.2 Antivirus 312


9.6.4 Advanced 314

10 Email Protection 315

10.1 SMTP 315

10.1.1 Global 315

10.1.2 Routing 316

10.1.3 Antivirus 318

10.1.4 Antispam 321

10.1.5 Data Protection 326


10.1.7 Relaying 329

10.1.8 Advanced 331

10.2 SMTP Profiles 334

10.3 POP3 338

10.3.1 Global 339

10.3.2 Antivirus 340

10.3.3 Antispam 341


10.3.5 Advanced 343

10.4 Encryption 348

10.4.1 Global 350

10.4.2 Options 351

10.4.3 Internal Users 352

10.4.4 S/MIME Authorities 354

10.4.5 S/MIME Certificates 356

10.4.6 OpenPGP Public Keys 357

10.5 SPX Encryption 357

10.5.1 SPX Configuration 359

10.5.2 SPX Templates 36110.5.3 Sophos Outlook Add-in 364

10.6 Quar antine Report 364

10.6.1 Global 365


10.6.3 Advanced 367

10.7 Mail Manager 368

10.7.1 Mail Manager Window 369

10.7.1.1 SMTP/POP3 Quarantine 369

10.7.1.2 SMTP Spool 37110.7.1.3 SMTP Log 372

UTM 9 WebAdmin ix

Contents



Contents

10.7.2 Global 373


11 Endpoint Protection 377

11.1 Computer Management 379

11.1.1 Global 379

11.1.2 Deploy Agent 381

11.1.3 Manage Computers 381

11.1.4 Manage Groups 382

11.1.5 Advanced 384

11.2 Antivirus 384

11.2.1 Policies 385


11.3 Device Control 388

11.3.1 Policies 388


11.4 Endpoint Web Control 391

11.4.1 Global 392

11.4.2 Advanced 392

11.4.3 Features not Supported 392

12 Wireless Protection 39512.1 Global Settings 396

12.1.1 Global Settings 396

12.1.2 Advanced 397

12.2 Wireless Networks 397

12.3 Access Points 401

12.3.1 Overview 402

12.3.2 Grouping 407

12.4 Mesh Networks 408

12.5 Wireless Clients 411

12.6 Hotspots 411

12.6.1 Global 413

12.6.2 Hotspots 414

12.6.3 Voucher Definitions 422

12.6.4 Advanced 423

13 Webserver Protection 425

13.1 Web Application Firewall 425

13.1.1 Virtual Webservers 425

13.1.2 Real Webservers 42913.1.3 Firewall Profiles 430

x UTM 9 WebAdmin




13.1.5 Site Path Routing 437

13.1.6 Advanced 438

13.2 Reverse Authentication 439

13.2.1 Profiles 439

13.2.2 Form Templates 443

13.3 Certificate Management 445

13.3.1 Certificates 445

13.3.2 Certificate Authority 445

13.3.3 Revocation Lists (CRLs) 445

13.3.4 Advanced 445

14 RED Management 447

14.1 Overview 448

14.2 Global Settings 448

14.3 Client Management 450

14.4 Deployment Helper 460

14.5 Tunnel Management 462

15 Site-to-site VPN 465

15.1 Amazon VPC 466

15.1.1 Status 46615.1.2 Setup 467

15.2 IPsec 468

15.2.1 Connections 471

15.2.2 Remote Gateways 473

15.2.3 Policies 475

15.2.4 Local RSA Key 479

15.2.5 Advanced 480

15.2.6 Debug 482

15.3 SSL 482

15.3.1 Connections 483

15.3.2 Settings 485

15.3.3 Advanced 486





15.4.4 Advanced 491

16 Remote Access 493

16.1 SSL 494

UTM 9 WebAdmin xi

Contents



Contents

16.1.1 Profiles 494

16.1.2 Settings 495

16.1.3 Advanced 496

16.2 PPTP 498

16.2.1 Global 498

16.2.2 iOS Devices 500

16.2.3 Advanced 500

16.3 L2TP over IPsec 501

16.3.1 Global 501

16.3.2 iOS Devices 504

16.3.3 Debug 505

16.4 IPsec 50516.4.1 Connections 508

16.4.2 Policies 510

16.4.3 Advanced 513

16.4.4 Debug 515

16.5 HTML5 VPN Portal 516

16.5.1 Global 516

16.6 Cisco VPN Client 520

16.6.1 Global 520

16.6.2 iOS Devices 52116.6.3 Debug 522

16.7 Advanced 522





16.8.4 Advanced 523

17 Logging & Reporting 525

17.1 View Log Files 52717.1.1 Today's Log Files 527

17.1.2 Archived Log Files 527

17.1.3 Search Log Files 528

17.2 Hardware 528

17.2.1 Daily 528

17.2.2 Weekly 529

17.2.3 Monthly 529

17.2.4 Yearly 529

17.3 Network Usage 52917.3.1 Daily 530

xii UTM 9 WebAdmin



17.3.2 Weekly 530

17.3.3 Monthly 530

17.3.4 Yearly 530

17.3.5 Bandwidth Usage 531

17.4 Network Protection 532

17.4.1 Daily 532

17.4.2 Weekly 532

17.4.3 Monthly 533

17.4.4 Yearly 533

17.4.5 Firewall 533

17.4.6 Advanced Threat Protection 534

17.4.7 IPS 53417.5 Web Protection 535

17.5.1 Web Usage Report 535

17.5.2 Search Engine Report 539

17.5.3 Departments 542

17.5.4 Scheduled Reports 543

17.5.5 Application Control 543

17.5.6 Deanonymization 544

17.6 Email Protection 545

17.6.1 Usage Graphs 54517.6.2 Mail Usage 545

17.6.3 Blocked Mail 546

17.6.4 Deanonymization 547

17.7 Wireless Protection 547

17.7.1 Daily 547

17.7.2 Weekly 548

17.7.3 Monthly 548

17.7.4 Year ly 548

17.8 Remote Access 548

17.8.1 Activity 548

17.8.2 Session 549

17.9 Webserver Protection 549

17.9.1 Usage Graphs 550

17.9.2 Details 550

17.10 Executive Report 551

17.10.1 View Report 551

17.10.2 Archived Executive Reports 551


17.11 Log Settings 55217.11.1 Local Logging 552

UTM 9 WebAdmin xiii

Contents



Contents

17.11.2 Remote Syslog Server 553

17.11.3 Remote Log File Archives 554

17.12 Reporting Settings 556

17.12.1 Settings 556


17.12.3 Anonymizing 560

18 Support 563

18.1 Documentation 563

18.2 Printable Configuration 564

18.3 Contact Support 564

18.4 Tools 565

18.4.1 Ping Check 565

18.4.2 Traceroute 565

18.4.3 DNS Lookup 566

18.5 Advanced 567

18.5.1 Process List 567

18.5.2 L AN Connections 567

18.5.3 Routes Table 567

18.5.4 Interfaces Table 567

18.5.5 Config Dump 567

18.5.6 Resolve REF 568

19 Log Off 569

20 User Portal 571

20.1 User Por tal: Mail Quarantine 572

20.2 User Portal: Mail Log 573

20.3 User Portal: POP3 Accounts 574

20.4 User Portal: Sender Whitelist 575

20.5 User Portal: Sender Blacklist 575

20.6 User Portal: Hotspots 57620.7 User Portal: Client Authentication 578

20.8 User Portal: OTP Tokens 579

20.9 User Portal: Remote Access 580

20.10 User Portal: HTML5 VPN Portal 580

20.11 User Portal: Change Password 582

20.12 User Portal: HTTPS Proxy 582

xiv UTM 9 WebAdmin



1 InstallationThissection provides information on installing and setting up Sophos UTM on your network.

The installation of Sophos UTM proceeds in two steps: first, installing the software; second, con-

figuring basicsystem settings. The initial setup required for installing the software is performed

through a console-based installation menu. The internal configuration can be performed from

your management workstation through the web-based administrative interface of Sophos UTM

called WebAdmin. Before you start the installation, check if your hardware meets the minimum

system requirements.

Note – If you are employing a Sophos UTM hardware appliance, you can skip the following

sections and directly jump to the Basic Configuration section, as all Sophos UTM hardware

appliances ship with UTM Software preinstalled.

The following topics are included in this chapter:

l Recommended Reading

l System Requirements

l Installation Instructions

l Basic Configuration

l Backup Restoration

1.1 Recommended Reading

Before you begin the installation, you are advised to read the following documentsthat help yousetting up Sophos UTM, all of which are enclosed within the package of your Sophos UTM hard-

ware appliance unit and which are also available at the Sophos UTM Resource Center :

l Quick Start Guides Hardware

l Operating Instructions

1.2 System RequirementsThe minimum hardware requirementsfor installing and using UTM are as follows:

http://www.sophos.com/en-us/support/resource-centers/unified/getting-started.aspx



1.2 System Requirements 1 Installation

l Processor: Pentium 4 with 1.5 GHz(or compatible)

l Memory: 1GBRAM

l HDD: 20 GB IDE or SCSI hard disk drive

l CD-ROM Drive:Bootable IDE or SCSI CD-ROM drive

l NIC: Two or more PCI Ethernet network interface cards

l NIC (optional): One heart-beat capable PCI Ethernet network interface card. In a high-

availability system, the primary and secondary system communicate with one another

through so-called heart-beat requests. If you want to set up a high-availability system,

both units need to be equipped with heart-beat capable network interface cards.

l USB (optional): One USB port for communications with a UPS device

l Switch (optional): A network device that connects (and selects between) network seg-

ments. Note that this switch must have jumbo frame support enabled.

Sophos providesa list of hardware devices compatible with UTM Software. The Hardware

Compatibility List (HCL) is available at the SophosKnowledgebase. To make the installation

and operation of UTM Software less error-prone, you are advised to only use hardware that is

listed in the HCL. The hardware and software requirementsfor the client PC used to access

WebAdmin are as follows:

l Processor: Clock signal frequency 1 GHz or higher

l Browser: Latest version of Firefox (recommended), latest version of Chrome, latest ver-

sion of Safari, or Microsoft Internet Explorer 8 onwards. JavaScript must be enabled. In

addition, the browser must be configured not to use a proxy for the IP address of the

UTM’s internalnetwork card (eth0).

1.2.1 UPS Device Support

Uninterruptible Power Supply (UPS) devices maintain a continuous supply of electricpower to

connected equipment by supplying power from a separate source when utility power is not avail-

able. Sophos UTM supports UPS devices of the manufacturersMGE UPS Systems and APC.

The communication between the UPS device and Sophos UTM is made via the USB interface.

As soon as the UPS device runs in battery operation, a notification is sent to the administrator. If

the power failure persists for a longer period and the voltage of the UPS device approximates a

critical value, another message will be sent to the administrator—Sophos UTM will be shut

down automatically.

16 UTM 9 WebAdmin

http://www.sophos.com/en-us/support/knowledgebase.aspx



Note – Please read the operation manual of the UPS device to connect the devices to Sophos

UTM. UTM will recognize the UPS device when booting via the USB interface. Only boot

Sophos UTM when you have connected the USB interfaces to each other.

1.2.2 RAID Support

A RAID (Redundant Array of Independent Disks) isa data storage scheme using multiple hard

drives to share or replicate data among the drives. To ensure that the RAID system is detected

and properly displayed on the Dashboard, you need to use a RAID controller that is supported

by Sophos UTM. Check the HCL to figure out which RAID controllersare supported. The HCL

isavailable at the Sophos Knowledgebase. Use "HCL" as search term to locate the cor-

responding page.

1.3 Installation InstructionsWhat follows is a step-by-step guide of the installation process of Sophos UTM Software.

Before you begin the installation, please make sure you have the following items available:

l The Sophos UTM CD-ROM

l The license key for Sophos UTM

The setup program will check the hardware of the system, and then install the software on your

PC.

1.3.1 Key Functions During Installation

In order to navigate through the menus, use the following keys (please also note the additional

key functionslisted at the bottom of a screen):

l F1: Displays the context-sensitive help screen.

l Cursor keys: Use these keys to navigate through the text boxes (for example, the license

agreement or when selecting a keyboard layout).

l Tab key: Move back and forth between text boxes, lists, and buttons.

l

Enter key: The entered information is confirmed, and the installation proceedsto the nextstep.

UTM 9 WebAdmin 17

1 Installation 1.3 Installation Instructions





1.3 Installation Instructions 1 Installation

l Space key: Select or unselect options marked with an asterisk.

l Alt-F2: Switch to the installation console.

l Alt-F4: Switch to the log.

l Alt-F1: Switch to the interactive bash shell.

l Alt-F1: Return to the main installation screen.

1.3.2 Special Options During Installation

Some screens offer additional options:

View Log : Opens the installation log.

Support: Opens the support dialog screen.

To USB Stick: Writes the installation log as zip file to a USB stick. Remember to insert a USB

stickbefore confirming thisoption. The zip file can be used to solve installation problems, e.g. by

the Sophos UTM Support Team.

Back: Returns to the previousscreen.

Cancel: Opens a confirmation dialog window to abort the installation.

Help: Opens the context-sensitive help screen.

1.3.3 Installing Sophos UTM

1. Boot your PC from CD-ROM drive or mount the do wnloaded ISO on a virtual

drive.

The installation start screen is displayed.

Note – You can always press F1 to access the help menu. Pressing F3 in the start

screen opens a troubleshooting screen.

2. Press Enter.

The Introduction screen is displayed.

3. Select Start Installation.

The Hardware Detection screen is displayed.

The software will check the following hardware components:

18 UTM 9 WebAdmin



l CPU

l Size and type of hard diskdrive

l CD-ROM drive

l Network interface cards

l IDE or SCSI controllers

If your system does not meet the minimum requirements, the installation will report the

error and abort.

As soon as the hardware detection is completed, the Detected Hardware screen is dis-

played for information purposes.4. Press Enter.

The Select Keyboard screen is displayed.

5. Select your keyboard layout.

Use the Cursor keys to select your keyboard layout, e.g. English (UK), and press Enter to

continue.

The Select Timezone screen is displayed.

6. Select your area.Use the Cursor keys to select your area, e.g. Europe, and press Enter to continue.

7. Select your time zone.

Use the Cursor keys to select your time zone, e.g. London, and press Enter to continue.

The Date and Time screen is displayed.

8. Set date and time.

If date and time are not correct, you can change them here. Use the Tab key and the

Cursor keys to switch between text boxes. You can unselect the Host clock is UTC option

by pressing the Space key. Invalid entries will be rejected. Confirm your settings with the

Enter key.

The Select Admin Interface screen is displayed.

9. Select an internal network card.

In order to use the WebAdmin tool to configure the rest of Sophos UTM, select a network

interface card to be the internal network card (eth0). Choose one of the available net-

work cards from the list and confirm your selection with the Enter key.

UTM 9 WebAdmin 19

1 Installation 1.3 Installation Instructions



1.3 Installation Instructions 1 Installation

Note – Interfaces having an active connection are marked with [link] .

The Network Configuration screen is displayed.

10. Configu re the administrative network interface.

Define the IP address, network mask, and gateway of the internal interface which is

going to be the administrative network interface. The default values are:

Address: 192.168.2.100

Netmask: 255.255.255.0

Gateway: none

You need to change the gateway value only if you wish to use the WebAdmin interface

from a workstation outside the subnet defined by the netmask. Note that the gateway

itself must be within the subnet.1

Confirm your settings with the Enter key.

If your CPU supports 64 bit the 64 Bit Kernel Support screen isdisplayed. Otherwise the

installation continues with the Enterprise Toolkit screen.

11. Install the 64-bit kernel.

Select Yes to installthe 64-bit kernel or No to install the 32-bit kernel.

The Enterprise Toolkit screen is displayed.

12. Accept installation of the Enterprise Toolkit.

The Enterprise Toolkit comprises the Sophos UTM Software. You can decide to install

Open Source software only. However, we advise to also install the Enterprise Toolkit to

be able to use the full functionality of Sophos UTM.

Press Enter to install both software packages or select No to install the Open Source soft-

ware only.

1For example, if you are using a network mask of 255.255.255.0, the subnet is defined by the

first three octets of the address: in this case,192.168.2. If your administration computer has

the IP address192.168.10.5, it is not on the same subnet, and thus requiresa gateway. The

gateway router must have an interface on the 192.168.2 subnet and must be able to contactthe administration computer. In our example, assume the gateway has the IP address

192.168.2.1.

20 UTM 9 WebAdmin



The Installation: Partitioning screen is displayed.

13. Confirm the warning message to start the installation.

Please read the warning carefully. After confirming, all existing data on the PC will be des-troyed.

If you want to cancel the installation and reboot instead, select No.

Caution – The installation process will delete all data on the hard diskdrive.

The software installation process can take up to a couple of minutes.

The Installation Finished screen is displayed.

14. Remove the CD-ROM, connect to th e internal network, and reboot th e system.

When the installation process is complete, remove the CD-ROM from the drive and con-

nect theeth0network card to the internal network. Except for the internal network card

(eth0), the sequence of networkcards normally will be determined by PCI ID and by the

kernel drivers. The sequence of network card names mayalso change if the hardware

configuration is changed, especially if network cards are removed or added.

Then press Enter in the installation screen to reboot UTM. During the boot process, the

IP addresses of the internal network cards are changed. The installation routine console

(Alt+F1) maydisplay the message "No IP on eth0" during thistime.

After Sophos UTM has rebooted (a process which, depending on your hardware, can take sev-

eralminutes), ping the IP address of theeth0 interface to ensure it is reachable. If no con-

nection is possible, please check if one of the following problems ispresent:

l The IP address of Sophos UTM is incorrect.

l The IP address of the administrative computer isincorrect.

l The default gateway on the client isincorrect.

l The network cable is connected to the wrong network card.

l All network cardsare connected to the same hub.

1.4 Basic Configuration

The second step of the installation is performed through WebAdmin, the web based admin-istrative interface of Sophos UTM. Prior to configuring basic system settings, you should have a

UTM 9 WebAdmin 21

1 Installation 1.4 Basic Configuration



1.4 Basic Configuration 1 Installation

plan how to integrate Sophos UTM into your network. You must decide which functions you

want it to provide, for example, if you want to operate it in bridge mode or in standard (routing)

mode, or how you want it to control the data packetsflowing between its interfaces. However,

you can always reconfigure Sophos UTM at a later time. So if you do not have planned how to

integrate Sophos UTM into your network yet, you can begin with the basic configuration right

away.

1. Start your browser and open WebAdmin.

Browse to the URL of Sophos UTM (i.e., the IP address of eth0). In order to stay con-

sistent with our configuration example above, this would be

https://192.168.2.100:4444 (note the HTTPS protocol and port number 4444).

Deviating from the configuration example, each Sophos UTM ships with the followingdefault settings:

l Interfaces: Internal network interface (eth0)

l IP address: 192.168.0.1

l Network mask: 255.255.255.0

l Default gateway: none

To accessWebAdmin of any Sophos UTM, enter the following URL instead:

https://192.168.0.1:4444

To provide authentication and encrypted communication, Sophos UTM comes with a

self-signed security certificate. This certificate is offered to the web browser when an

HTTPS-based connection to WebAdmin isestablished. For being unable to check the

certificate's validity, the browser will display a securitywarning. Once you have accepted

the certificate, the initial login page is displayed.

22 UTM 9 WebAdmin



Figure 1 WebAdmin: Initial Login Page

2. Fill out the Basic System Setup form.

Enter accurate information of your company in the text boxes presented here. In addi-

tion, specify a password and valid email address for the administrator account. If you

accept the license agreement, click the Perform Basic System Setup button to continue

logging in. While performing the basic system setup, a number of certificates and cer-

tificate authorities are being created:

l WebAdmin CA: The CA with which the WebAdmin certificate was signed (see

Management > WebAdmin Settings > HTTPS Certificate).

l VPN Signing CA: The CA with which digitalcertificates are signed that are used

for VPN connections (see Site-to-site VPN > Certificate Management > Certificate

Authority ).

l WebAdmin Certificate: The digital certificate of WebAdmin (see Site-to-site

VPN > Certificate Management > Certificates).

l Local X.509 Certificate: The digitalcertificate of Sophos UTM that isused for

VPN connections (see Site-to-Site VPN > Certificate Management > Certificates).

UTM 9 WebAdmin 23





The login page appears. (With some browsers it may, however, happen that you are

presented another security warning because the certificate has changed according to

your entered values.)

Figure 2 WebAdmin: Regular Login Page

3. Log into WebAdmin.

Type admin in the Username field and enter the password you have specified on the pre-

vious screen.

A configuration wizard is presented to you which will guide you through the initial con-

figuration process.

Continue: If you want to use the wizard, select this option and then clickNext . Follow the

steps to configure the basic settings of Sophos UTM.

Restore a backup: If you have a backup file, you can decide to restore this backup file

instead. Select this option and then click Next . How to continue is described in section

Backup Restoration.

Alternatively, you can safely click Cancel (at any time during the wizard’s steps) and

thereby exit the wizard, for example if you want to configure Sophos UTM directly in

WebAdmin. You can also click Finish at anytime to save your settingsdone so far and exit

the wizard.

4. Install your license.

Click the Folder icon to upload your purchased license (a text file). Click Next to install the

license. In case you did not purchase a license, click Next to use the built-in 30-day trial

license with all features enabled that is shipped with Sophos UTM.

24 UTM 9 WebAdmin



Note – If the selected license does not contain a certain subscription, the respective

page will be disabled during the further procedure.

5. Configu re the internal network interface.

Check the presented settings for the internalnetwork interface (eth0 ). The settings for

this interface are based on the information you provided during the installation of the soft-

ware. Additionally, you can set Sophos UTM to act as DHCP server on the internal inter-

face by selecting the checkbox.

Note – If you change the IP address of the internal interface, you must connect to

WebAdmin again using the new IP address after finishing the wizard.

6. Select the uplink type for the external interface.

Select the connection type of your uplink/Internet connection the externalnetwork card is

going to use. The type of interface and its configuration depend on what kind of con-

nection to the Internet you are going to use. ClickNext .

In case Sophos UTM has no uplink or you do not want to configure it right now, select the

Setup Internet connection later checkbox. If you configure an Internet uplink, IP mas-

querading will automatically be configured for connections from the internalnetwork to

the Internet.

If you select Standard Ethernet interface with static IP address, specifying a Default gate-

way is optional. If you leave the text boxblank, your default gateway setting of the install-

ation routine will persist. You can skip each of the following steps by clicking Next . You can

make and change those skipped settings later in WebAdmin.

Note – If your license does not allow one of the following features, the concerning fea-ture will not be displayed.

7. Make your basic firewall settings.

You can now select what types of services you want to allow on the Internet. ClickNext to

confirm your settings.

8. Make your advanced threat protection settings.

You can now make settings regarding intrusion prevention and com-

mand&control/botnet detection for several operation systemsand databases. Click Next to confirm your settings.

UTM 9 WebAdmin 25





9. Make your web protection settings.

You can now select whether the web traffic should be scanned for viruses and spyware.

Additionally, you can select to block webpages that belong to certain categories. Click

Next to confirm your settings.

10. Make your email protection settings.

You can now select the first checkboxto enable the POP3 proxy. You can also select the

second checkboxto enable UTM as inbound SMTP relay: Enter the IP address of your

internal mail server and add SMTP domains to route. ClickNext to confirm your settings.

11. Make your wireless protection settings.

You can now select the checkboxto enable wireless protection. In the box, select or add

the interfaces that are allowed to connect your wireless access points to your system.Click the Folder icon to add an interface or click the Plus icon to create a new interface.

Enter the other wirelessnetwork parameters. Click Next to confirm your settings.

12. Make your advanced threat adaptive learning settings.

You can now select if you want to send anonymous data to the Sophos research team.

This data is used to improve future versionsand to improve and enlarge the network vis-

ibility and application control library.

13. Confirm your settings.

A summary of your settings is displayed. Click Finish to confirm them or Back to change

them. However, you can also change them in WebAdmin later.

After clicking Finish your settingsare saved and you are redirected to the Dashboard of

WebAdmin, providing you with the most important system status information of the

Sophos UTM unit.

26 UTM 9 WebAdmin



Figure 3 WebAdmin: Dashboard

If you encounter any problems while completing these steps, please contact the support

department of your Sophos UTM supplier. For more information, you might also want to

visit the following websites:

l Sophos UTM Support Forum

l Sophos Knowledgebase

1.5 Backup RestorationThe WebAdmin configuration wizard (see section Basic Configuration) allows you to restore an

existing backup file instead of going through the basic configuration process. Do the following:

1. Select Restore existing backup file in the configuration wizard.

Select Restore existing backup file in the configuration wizard and click Next .

You are directed to the upload page.

UTM 9 WebAdmin 27

1 Installation 1.5 Backup Restoration



http://www.astaro.org/



1.5 Backup Restoration 1 Installation

2. Upload the backup.

Click the Folder icon, select the backup file you want to restore, and clickStart Upload .

3. Restore the backup.Click Finish to restore the backup.

Important Note – You will not be able to use the configuration wizard afterwards.

As soon as the backup has been restored successfully you will be redirected to the login page.

28 UTM 9 WebAdmin



2 WebAdminWebAdmin isthe web-based administrative interface that allows you to configure every aspect

of Sophos UTM. WebAdmin consists of a menu and pages, many of which have multiple tabs.

The menu on the left of the screen organizes the features of Sophos UTM in a logicalmanner.

When you select a menu item, such as Network Protection, it expands to reveal a submenu and

the associated page opens. Note that for some menu items no page is associated. Then, the

page of the previouslyselected menu or submenu item keeps being displayed. You have to

select one of the submenu items, which opens the associated page at its first tab.

On the first start of the WebAdmin the Setup Wizard appears unique. Follow the instructions toset up the most important settings.

The procedures in thisdocumentation direct you to a page by specifying the menu item, sub-

menu item, and the tab, for example: "On the Interfaces & Routing > Interfaces > Hardware tab,

configure ..."

Figure 4 WebAdmin: Overview



2.1 WebAdmin Menu 2 WebAdmin

2.1 WebAdmin MenuThe WebAdmin menu provides access to all configuration optionsof Sophos UTM, that is, there

isno need for using a command line interface to configure specificparameters.

l Dashboard: The Dashboard graphically displaysa snapshot of the current operating

status of the Sophos UTM unit.

l Management: Configure basic system and WebAdmin settings as well as all settings

that concern the configuration of the Sophos UTM unit.

l Definitions & Users:Configure network, service, and time period definitions as well asuser accounts, user groups, and external authentication services for use with the Sophos

UTM unit.

l Interfaces & Routing : Configure system facilities such as network interfaces as well as

routing options, among other things.

l Network Services:Configure network services such as DNS and DHCP, among other

things.

l Network Protection: Configure basic network protection features such as firewall

rules, voice over IP, or intrusion prevention settings.

l Web Protection: Configure the Web Filter and application control of Sophos UTM unit

as well as the FTP proxy.

l Email Protection: Configure the SMTP and POP3 proxiesof the Sophos UTM unit as

well as email encryption.

l Endpoint Protection: Configure and manage the protection of endpoint devices in

your network.

l Wireless Protection: Configure wireless accesspoints for the gateway.

l Webserver Protection: Protect your webservers from attacks like cross-site scripting

and SQL injection.

l RED Management: Configure your remote Ethernet device (RED) appliances.

l Site-to- site VPN:Configure site-to-site Virtual Private Networks.

l Remote Access: Configure remote access VPN connectionsto the Sophos UTM unit.

30 UTM 9 WebAdmin



l Logging & Reporting: View log messages and statistics about the utilization of the

Sophos UTM unit and configure settings for logging and reporting.

l Support: Access to the support tools available at the Sophos UTM unit.

l Log Off: Log out of the user interface.

Searching the Menu

Above the menu a search box is located. It lets you search the menu for keywords in order to

easily find menus concerning a certain subject. The search function matches the name of

menus but additionallyallows for hidden indexed aliases and keywords.

As soon as you start typing into the search box, the menu automatically reduces to relevant

menu entries only. You can leave the search boxat anytime and click the menu entry matching

your prospect. The reduced menu stays intact, displaying the search results, until you click the

reset button next to it.

Tip – You can set focus on the search boxvia the keyboard shortcut CTRL+Y.

2.2 Button BarThe buttons in the upper right corner of WebAdmin provide access to the following features:

l Username/IP: Shows the currently logged in user and the IP address from which

WebAdmin isaccessed. If other users are currently logged in, their data will be shown,

too.

l Open Live Log: Clicking this button opens the live log that isassociated with the

WebAdmin menu or tab you are currently on. To see a different live log without having to

change the menu or tab, hover over the Live Log button. After some seconds a list of all

available live logs opens where you can select a live log to display. Your selection is mem-

orized as long as you stay on the same WebAdmin menu or tab.

Tip – You can also open live logs via the Open Live Log buttons provided on multiple

WebAdmin pages.

l Online Help: Every menu, submenu, and tab has an online help screen that provides

context-sensitive information and proceduresrelated to the controls of the current

UTM 9 WebAdmin 31

2 WebAdmin 2.2 Button Bar



2.3 Lists 2 WebAdmin

WebAdmin page.

Note – The online help is version-based and updated by means of patterns. If you

update to a new firmware version, your online help will also be updated, if available.

l Reload: To request the already displayed WebAdmin page again, always click the

Reload button.

Note – Never use the reload button of the browser, because otherwise you will be

logged out of WebAdmin.

2.3 ListsMany pages in WebAdmin consist of lists. The buttons on the left of each list item enable you to

edit, delete, or clone the item (for more information see section Buttons and Icons).Toaddan

item to the list, click the New … button, where "…" is a placeholder for the object being created

(e.g., interface). This opens a dialog boxwhere you can define the properties of the new object.

Figure 5 WebAdmin: Example of a List

With the first drop-down list on the top you can filter all itemsaccording to their type or group.The second field on the top lets you search for items specifically. Enter a search string and click

Find .

Lists with more than ten items are split into severalchunks, which can be browsed with Forward

(>>) and Backward (<<) buttons. With the Display drop-down list, you can temporarily change

the number of items per page. Additionally, you can change the default setting for all lists on the

Management > WebAdmin Settings > User Preferences tab.

The header of a list provides some functionality. Normally, clicking a header field sorts the list for

that object field of that name, e.g. clicking the field Name sorts the list by the objects' names. The

32 UTM 9 WebAdmin



Action field in the header contains some batch options you can carry out on previously selected

list objects. To select objects, select their checkbox. Note that the selection stays valid across

multiple pages, that is, while browsing between pages of a list already selected objects stay

selected.

Tip – Clicking on the Info icon will show all configuration optionsin which the object is used.

2.4 Searching in Lists A filter field helps you to quickly reduce the number of items displayed in a list. This makes it

much easier to find the object(s) you were looking for.

Important Facts

l A search in a list typically scans several fields for the search expression. A search in

Users & Groups for example considers the username, the real name, the comment,

and the first email address. Generally speaking, the search considers all texts which you

can see in the list, excluding details displayed via the Info icon.

l The list search iscase-insensitive. That means it makes no difference whether you enter

upper- or lower-case letters. The search result will contain matches both with upper-

case and lower-case letters. Searching explicitly for upper-case or lower-case letters is

not possible.

l The list search isbased on Perl regular expression syntax (although case-insensitive).

Typical search expressions known from e.g. text editorslike * and ? as simple wildcard

charactersor the AND and OR operators do not work in list search.

Examples

The following list is a small selection of usefulsearch strings:

Simple string: Matches all words that contain the given string. For example, "inter" matches

"Internet", "interface", and "printer".

Beginning of a word: Markthe search expression with a \bat the beginning. For example,

\bintermatches "Internet" and "interface" but not "printer".

UTM 9 WebAdmin 33

2 WebAdmin 2.4 Searching in Lists



2.5 Dialog Boxes 2 WebAdmin

End of a word: Mark the search expression with a \bat the end. For example,http\b

matches"http" but not "https".

Beginning of an entry: Mark the search expression with a ^at the beginning. For example,^intermatches "Internet Uplink" but not "Uplink Interfaces".

IP addresses: Searching for IP addresses, you need to escape dots with a backslash. For

example, 192\.168matches "192.168". To search more generally for IP addresses use \d

which matches any digit.\d+matches multiple digits in a row. For example,

\d+\.\d+\.\d+\.\d+ matches any IPv4 address.

Note – It makes sense to rather use an easy, fail-safe search expression which will lead to

more matches than to rack your brains for a supposedly more perfect one which can easilylead to unexpected results and wrong conclusions.

You can find a detailed description of regular expressions and their usage in Sophos UTM in the

SophosKnowledgebase.

2.5 Dialog BoxesDialog boxes are special windows which are used by WebAdmin to prompt you for entering spe-

cific information. The example shows a dialog boxfor creating a new static route in the Inter-

faces & Routing > Static Routing menu.

Figure 6 WebAdmin: Example of a Dialog Box

Each dialog box can consist of various widgets such as text boxes, checkboxes, and so on. Inaddition, many dialog boxes offer a drag-and-drop functionality, which isindicated by a special

34 UTM 9 WebAdmin

http://www.sophos.com/en-us/support/knowledgebase/117278.aspx



background reading DND. Whenever you encounter such a box, you can drag an object into

the box. To open the object list from where to drag the objects, click the Folder icon that is loc-

ated right next to the text box. Depending on the configuration option, this opens the list of avail-

able networks, interfaces, users/groups, or services. Clicking the green Plus icon opens a dialog

window letting you create a new definition. Some widgets that are not necessary for a certain

configuration are grayed out. In some cases, however, they can still be edited, but having no

effect.

Note – You may have noticed the presence of both Save and Apply buttons in WebAdmin.

The Save button is used in the context of creating or editing objects in WebAdmin such as

static routesor network definitions. It isalways accompanied by a Cancel button. The Apply

button, on the other hand, serves to confirm your settings in the backend, thuspromptlyactiv-

ating them.

2.6 Buttons and IconsWebAdmin has some buttons and functional icons whose usage is described here.

Buttons Meaning

Shows a dialog boxwith detailed information on the object.

Opens a dialog boxto edit properties of the object.

Deletes the object. If an object is still in use somewhere, there will be a

warning. Not all objects can be deleted if theyare in use.

Opens a dialog box for creating an object with identical set-

tings/properties. Helps you to create similar objects without having to

type all identical settings over and over again.

Functional

Icons

Meaning

Info: Shows all configurationswhere the object isin use.

Details: Links to another WebAdmin page with more information about the

topic.

Toggle switch: Enables or disables a function. Green when enabled, gray

when disabled, and amber when configuration is required before enabling.

UTM 9 WebAdmin 35

2 WebAdmin 2.6 Buttons and Icons



2.6 Buttonsand Icons 2 WebAdmin

Functional

Icons

Meaning

Folder: Has two different functions: (1) Opens an object list (see sectionbelow) on the left side where you can choose appropriate objects from. (2)

Opensa dialog window to upload a file.

Plus: Opensa dialog window to add a new object of the required type.

Action: Opensa drop-down menu with actions. The actionsdepend on the

location of the icon: (1) Icon in list header: the actions, e.g., Enable, Disable,

Delete, apply to the selected list objects. (2) Icon in text box: with the actions

Import and Export you can import or export text, and with Empty you delete

the entire content. There is also a filter field which helps you to drilldown a listto relevant elements. Note that the filter iscase-sensitive.

Empty: Removes an object from the current configuration when located in

front of the object. Removes all objects from a box when located in the Actions

menu. Objectsare however never deleted.

Import: Opensa dialog window to import text with more than one item or line.

Enhances adding multiple items without having to type them individually, e.g.

a large blacklist to the URL blacklist. Copy the text from anywhere and enter it

using CTRL+V.Export: Opensa dialog window to export all existing items. You can select a

delimiter to separate the items, which can either be new line, colon, or

comma. To export the items as text, mark the whole text in the Exported Text

field and pressCTRL+C to copy it. You can then paste it into all common applic-

ations using CTRL+V, for example a text editor.

Sort: Using these two arrows, you can sort list elements by moving an ele-

ment down or up, respectively.

Forward/Backward: Depending on the location you can navigate throughthe pages of a long list, or move back and forth along the history of changes

and settings.

PDF: Saves the current view of data in a PDF file and then opens a dialog win-

dow to download the created file.

CSV: Saves the current view of data in a CSV (comma-separated values) file

and then opens a dialog window to download the created file.

36 UTM 9 WebAdmin



2.7 Object Lists An object list is a drag-and-drop list which is temporarily displayed on the left side of WebAdmin,

covering the main menu.

Figure 7 WebAdmin: Dragging an Object From the Object List Networks

An object list is opened automatically when you clickthe Folder icon (see section above), or you

can open it manually via a keyboard shortcut (see Management > WebAdmin Settings > User

Preferences).

The object list gives you quick accessto WebAdmin objects like users/groups, interfaces, net-

works, and services to be able to select them for configuration purposes. Objects are selectedsimply by dragging and dropping them onto the current configuration.

According to the different existing object types, there are five different types of object lists. Click-

ing the Folder icon willalwaysopen the type required by the current configuration.

UTM 9 WebAdmin 37

2 WebAdmin 2.7 Object Lists





3 DashboardThe Dashboard graphically displays a snapshot of the current operating status of Sophos UTM.

With help of the Dashboard Settingsicon on the top right you can, amongst others, configure

which topic sections are displayed. Further information to the settings you find in Dashboard >

Dashboard Settings.

The Dashboard is displayed when you log in to WebAdmin and shows the following information

by default:

l General Information: Hostname, model, license ID, subscriptions, and uptime of the

unit. The display color of a subscription switches to orange 30 days before its expiration

date. During the last 7 days and after expiration, a subscription isdisplayed in red.

l Version Information: Information on the currently installed firmware and pattern ver-

sions as well as available updates.

l Resource Usage:Current system utilization, including the following components:

l The CPU utilization in percent

l The RAM utilization in percent. Please note that the total memory displayed isthe

part that is usable by the operating system. With 32-bit systems, in some cases thatdoes not represent the actual size of the physical memory installed, as part of it is

reserved for hardware.

l The amount of hard disk space consumed by the log partition in percent

l The amount of hard disk space consumed by the root partition in percent

l The statusof the UPS (uninterruptible power supply) module (if available)

l Today's Threat Status: A counter for the most relevant security threats detected since

midnight:l The total of dropped and rejected data packets for which logging is enabled

l The total of blocked intrusion attempts

l The total of blocked viruses (all proxies)

l The total of blocked spam messages (SMTP/POP3)

l The total of blocked spyware (all proxies)

l The total of blocked URLs(HTTP/S)



3 Dashboard

l The total of blocked webserver attacks (WAF)

l The total of blocked endpoint attacks and blocked devices

l Interfaces: Name and status of configured network interface cards. In addition, inform-ation on the average bit rate of the last 75 seconds for both incoming and outgoing traffic

is shown. The valuespresented are obtained from bit rate averages based on samples

that were taken at intervals of 15 seconds. Clicking a traffic value of an interface opens a

Flow Monitor in a new window. The Flow Monitor displays the traffic of the last ten

minutes and refreshes automatically at short intervals. For more information on the Flow

Monitor see chapter Flow Monitor .

l Advanced Threat Protection: Status of Advanced Threat Protection. The display

shows if Advanced Threat Protection is enabled and it shows a counter of infected hosts.

l Current System Configu ration: Enabled/disabled representation of the most rel-

evant security features. Clicking one of the entries opens the WebAdmin page with the

respective settings:

l Firewall: Information about the total of active firewall rules.

l Intrusion Prevention: The intrusion prevention system (IPS) recognizes attacks

by means of a signature-based IPS rule set.

l Web Filtering: An application-level gateway for the HTT P/S protocol, featuring a

rich set of web filtering techniques for the networks that are allowed to use its ser-

vices.

l Network Visibility:Sophos' layer 7 application control allows to categorize and

control network traffic.

l SMTP Proxy: An application-level gateway for messages sent via the Simple Mail

Transfer Protocol (SMTP).

l POP3 Proxy: An application-level gateway for messages sent via the Post Office

Protocol 3 (POP3).

l RED: Configuration of Remote Ethernet Device (RED) appliances for branch

office security.

l Wireless Protection: Configuration of wireless networks and access points.

l Endpoint Protection: Management of endpoint devices in your network. Dis-

plays the number of connected endpoints and alerts.

l Site-to- Site VPN:Configuration of site-to-site VPN scenarios.

l Remote Access: Configuration of road warrior VPN scenarios.

40 UTM 9 WebAdmin



l Web Application Firewall: An application-level gateway to protect your web-

servers from attacks like cross-site scripting and SQL injection.

l HA/Cluster: High availability (HA) failover and clustering, that is, the distribution of

processing-intensive tasks such as content filtering, virus scanning, intrusion detec-

tion, or decryption equally among multiple cluster nodes.

l Sophos UTM Manager: Management of your Sophos UTM appliance via the

central management toolSophos UTM Manager (SUM).

l Antivirus: Protection of your network from web traffic that carries harmful and

dangerous content such as viruses, worms, or other malware.

l Antispam: Detection of unsolicited spam emailsand identification of spam trans-

missions from known or suspected spam purveyors.

l Antispyware: Protection from spyware infections by means of two different virus

scanning engines with constantlyupdated signature databases and spyware fil-

tering techniques that protects both inbound and outbound traffic.

3.1 Dashboard Settings

You can modify several settings concerning the Dashboard. Click the Dashboard Settings iconon the top right of the Dashboard to open the Edit Dashboard Settings dialog window.

Refresh dashboard: By default, the Dashboard is updated at intervals of five seconds. You

can configure the refresh rate from Never to Every Minute.

Left Column – Right Column: The Dashboard isdivided into different topic sections provid-

ing information on the respective topic. With the two boxes Left Column and Right Column you

can arrange those topic sectionsand add or remove them from display. Those settingswill then

be reflected by the Dashboard. Use the sort icons to sort the topic sections of a column. To add

or remove a particular topic section from display, select or unselect its checkbox.

The topic sections displayed by default are described in the Dashboard chapter. These topic

sections can also be displayed:

l Web Protection: Top Apps: Overview of the most used applications. In this section,

hovering the cursor on an application displaysone or two icons with additionalfunc-

tionality:

l Click theBlock icon to block the respective application from now on. This will create

a rule on the Application Control Rules page. This option isunavailable for

UTM 9 WebAdmin 41

3 Dashboard 3.1 Dashboard Settings



3.1 Dashboard Settings 3 Dashboard

applications relevant to the flawless operation of Sophos UTM. WebAdmin traffic,

for example, cannot be blocked as this might lead to shutting yourself out of

WebAdmin. Unclassified trafficcannot be blocked, either.

l Click theShape icon to enable traffic shaping of the respective application. A dialog

window opens where you are asked to define the rule settings. Click Save when

you are done. This will create a rule both on the Traffic Selectors and on the Band-

width Pools page.Traffic shaping is not available when viewing the All Interfaces

Flow Monitor as shaping works interface-based.

l Click theThrottle icon to enable traffic throttling of the respective application. A dia-

log window opens where you are asked to define the rule settings. ClickSave

when you are done. This will create a rule both on the Traffic Selectors and on the

Download Throttling page. Download throttling isnot available when viewing the

All Interfaces Flow Monitor as throttling worksinterface-based.

l Web Protection: Top Sites by Time: Overview of the most visited domains according

to time.

l Web Protection: Top Sites by Traffic: Overview of the most visited domains accord-

ing to traffic.

l Logging: Status of the log partition of your Sophos UTM unit, including information

about the diskspace left and fillup rate.

l News Feed: Newsabout Sophos and its products.

l Chart: Concurrent Connections: Daily statisticsand histogram of the totalof con-

current connections.

l Chart: Log Partition Status:Four-week statistics and histogram of the log partition

usage.

l Chart: CPU Usage: Dailystatistics and histogram of the current processor usage in per-

cent.

l Chart: Memory/Swap Usage: Daily statistics and histogram of the memory and swap

usage in percent.

l Chart: Partition Usage:Daily statistics and histogram of the usage of selected par-

titions in percent.

Enable autogrouping on Dashboard: Select this option to display the information on the

Dashboard compactly. Thisoption only affects the selected Web Protection items in the left

column and the selected Chart items in the right column. If selected, the respective information

42 UTM 9 WebAdmin



elements will be displayed as overlaying tabs on the Dashboard. If unselected, the information

elements are displayed side by side.

Click Save to save your settings.

3.2 Flow MonitorThe Flow Monitor of Sophos UTM is an application which gives quick access to information on

network traffic currently passing the interfaces of UTM. It can be easily accessed via the Dash-

board by clicking one of the interfaces at the top right. Byclicking All Interfaces the Flow Monitor

displays the traffic accumulated on all active interfaces. By clicking a single interface, the Flow

Monitor displays the traffic of this interface only.

Note – The Flow Monitor opens in a new browser window. As pop-up blockers are likely to

block this window it is advisable to deactivate pop-up blockers for WebAdmin.

The Flow Monitor providestwo views, a chart and a table, which are described in the next sec-

tions. It refreshes every five seconds. You can click the Pause button to stop refreshing. After

clicking Continue to start refreshing again, the Flow Monitor updates to the current traffic inform-

ation.

Tabular View

The Flow Monitor table provides information on network trafficfor the past five seconds:

#: Traffic is ranked based on its current bandwidth usage.

Application: Protocol or name of the network traffic if available. Unclassified traffic is a type of

traffic unknown to the system. Clicking an application opens a window which provides inform-ation on the server, the port used, bandwidth usage per server connection, and totaltraffic.

Clients: Number of client connections using the application. Clicking a client opens a window

which provides information on the client's IP address, bandwidth usage per client connection,

and total traffic. Note that with unclassified traffic the number of clients in the table may be

higher than the clients displayed in the additional information window. This is due to the fact that

the term "unclassified" comprises more than one application. So, there might be only one client

in the information window but three clients in the table, the latter actuallybeing the connections

of the single client to three different, unclassified applications.

UTM 9 WebAdmin 43

3 Dashboard 3.2 Flow Monitor



3.2 Flow Monitor 3 Dashboard

Bandwidth Usage Now: The bandwidth usage during the last five seconds. Clicking a band-

width opens a window which provides information on the download and upload rate of the

application connection.

Total Traffic: The totalof network traffic produced during the "lifetime" of a connection.

Example 1: A download started some time in the past and still going on: the whole traffic pro-

duced during the time from the beginning of the download willbe displayed. Example 2: Several

clients using facebook: as long as one client keepsthe connection open, the traffic produced by

all clients so far adds up to the total traffic displayed.

Clicking a totaltraffic opens a window which providesinformation on the overall download and

upload rate of the application connection.

Actions: Depending on the application type, there are actions available (except for unclassified

traffic).

l Blocking: Click theBlock button to block the respective application from now on. This will

create a rule on the Application Control Rules page. Thisoption isunavailable for applic-

ations relevant to the flawless operation of Sophos UTM. WebAdmin traffic, for example,

cannot be blocked as this might lead to shutting yourself out of WebAdmin. Unclassified

traffic cannot be blocked, either.

l

Traffic shaping: Click theShape button to enable traffic shaping of the respective applic-ation. A dialog window opens where you are asked to define the rule settings. Click Save

when you are done. This will create a rule both on the Traffic Selectors and on the Band-

width Pools page.Traffic shaping is not available when viewing the All Interfaces Flow

Monitor as shaping works interface-based.

l Download throttling: Click theThrottle button to enable download throttling for the

respective application. A dialog window opens where you are asked to define the rule set-

tings. Click Save when you are done. This will createarule bothonthe Traffic Selectors

and on the Download Throttling page. Download throttling is not available when viewing

the All Interfaces Flow Monitor as throttling worksinterface-based.

Chart View

The Flow Monitor chart displays the network traffic for the past ten minutes. The horizontal axis

reflects time, the vertical axis reflects the amount of traffic while dynamically adapting the scale

to the throughput.

44 UTM 9 WebAdmin



At the bottom of the chart view a legend is located which refers to the type of traffic passing an

interface. Each type of traffic hasa different color so that it can be easily distinguished in the

chart.

Note – The Flow Monitor displays much more differentiated information on traffic if Network

Visibility is enabled (see chapter Web Protection > Application Control >Network Visibility ).

When hovering the mouse cursor on a chart a big dot will appear, which gives detailed inform-

ation of this part of the chart. The dot is clung to the line of the chart. As you move the mouse

cursor the dot follows. In case a chart has severallines, the dot switchesbetween them accord-

ing to where you move the mouse cursor. Additionally, the dot changes its color depending on

which line its information refer to, which is especially usefulwith lines running close to each

other. The dot providesinformation on type and size of the traffic at the respective point of time.

UTM 9 WebAdmin 45

3 Dashboard 3.2 Flow Monitor





4 ManagementThis chapter describeshow to configure basic system settingsas well as the settingsof the web-

based administrative interface of Sophos UTM, WebAdmin, among others. The Overview page

shows statistics of the last WebAdmin sessions including possible changes. Click the Show but-

ton in the Changelog column to view the changes in detail.

In the State column, the end times of previous WebAdmin sessions are listed.

Note – You can end a WebAdmin session by clicking the Log off menu. If you close the

browser without clicking the Log off menu, the session times out after the time span defined onthe Management > WebAdmin Settings > Advanced tab.


l System Settings

l WebAdmin Settings

l Licensing

l Up2Date

l Backup/Restore

l User Portal

l Notifications

l Customization

l SNMP

l Central Management

l High Availability

l Shutdown/Restart

4.1 System SettingsThe system settingsmenu allows you to configure basic settings of your UTM. You can set host-

name, date and time settings as well as scan settings for antivirus engine or advanced threat



4.1 System Settings 4 Management

protection options. Configuration or password resets and SSH shell access configurations can

also be done.

4.1.1 Organizational

Enter these organizational information (if not yet done in the Installation Wizard):

l Organization Name: name of your organization

l City: location of your organization

l Country: country your organization is located

l Adminitrator's Email Add ress:email address to reach the person or group technically

responsible for the operation of your Sophos UTM

Note that this data isalso used in certificates for IPsec, email encryption and WebAdmin.

4.1.2 Hostname

Enter the hostname of your UTM as a fully qualified domain name (FQDN). The fully qualified

domain name is an unambiguous domain name that specifies the node's absolute position in the

DNS tree hierarchy, for example utm.example.com. A hostname may contain alphanumericcharacters, dots, and hyphens. At the end of the hostname there must be a special designator

such ascom, org, or de. The hostname will be used in notification messagesto identify UTM. It

will also appear in status messages sent by the Web Filter. Note that the hostname does not

need to be registered in the DNS zone for your domain.

4.1.3 Time and Date

On your UTM, date and time should always be set correctly. This is needed both for getting cor-rect information from the logging and reporting systems and to assure interoperability with

other computers on the Internet.

Usually, you do not need to set the time and date manually. By default, automatic syn-

chronization with public Internet time servers isenabled (see section Synchronize Time with

Internet Server below).

In the rare case that you need to disable synchronization with time servers, you can change the

time and date manually. However, when doing so, pay attention to the following caveats:

48 UTM 9 WebAdmin



l Never change the system time from standard time to daylight saving time or vice versa.

Thischange is always automatically covered by your time zone settings even if automatic

synchronization with time servers is disabled.

l Never change date or time manuallywhile synchronization with time servers isenabled,

because automatic synchronization would typically undo your change right away. In case

you must set the date or time manually, remember to first remove all servers from the

NTP Servers box in the Synchronize Time with Internet Server section below and click

Apply .

l After manually changing the system time, wait until you see the green confirmation mes-

sage, stating that the change was successful. Then reboot the system (Management >

Shutdown/Restart ). This is highly recommended as many services rely on the fact that

time ischanging continuously, not abruptly. Jumps in time therefore might lead to mal-

function of various services. Thisadvice holds universally true for all kind of computer sys-

tems.

l In rare cases, changing the system time might terminate your WebAdmin session. In

case this happens, log in again, check whether the time is now correctly set and restart

the system afterwards.

If you operate multiple interconnected UTMs that span severaltime zones, select the same time

zone for all devices, for example UTC (Coordinated UniversalTime)—this will make log mes-

sages much easier to compare.

Note that when you manuallychange the system time, you will encounter several side-effects,

even when having properly restarted the system:

l Turning the clock forward

l Time-based reports will contain no data for the skipped hour. In most graphs, this

time span will appear as a straight line in the amount of the latest recorded value.

l Accounting reports will contain values of 0 for all variables during this time.

l Turning the clock backward

l There is already log data for the corresponding time span in time-based reports.

l Most diagrams will display the values recorded during this period as compressed.

l The elapsed time since the last pattern check (as displayed on the Dashboard)

shows the value "never", even though the last check was in fact only a few minutes

ago.

l Automatically created certificates on UTM may become invalid because the begin-

ning of their validity periods would be in the future.

UTM 9 WebAdmin 49

4 Management 4.1 System Settings




l Accounting reports will retain the valuesrecorded from the future time. Once the

time of the reset is reached again, the accounting data willbe written again as nor-

mal.

Because of these drawbacks the system time should only be set once when setting up the sys-

tem with only small adjustments being made thereafter. This especially holds true if accounting

and reporting data needs to be processed further and accuracy of the data is important.

Set Date and Time

To configure the system time manually, select date and time from the respective drop-down

lists. Click Apply to save your settings.

Set Time Zone

To change the system's time zone, select an area or a time zone from the drop-down list. Click

Apply to save your settings.

Changing the time zone does not change the system time, but only how the time is represented

in output, for example in logging and reporting data. Even if it does not disrupt services, we

highly recommend to reboot afterwardsto make sure that all services use the new time setting.

Synchronize Time with Internet Server

To synchronize the system time using a timeserver, select one or more NTP servers. Click

Apply after you have finished the configuration.

NTP Servers: The NTP Server Pool is selected by default. This network definition is linked to

the big virtual cluster of public timeservers of the pool.ntp.org project. In case your Internet ser-

vice provider operates NTP servers for customers and you have access to these servers, it is

recommended to remove the NTP Server Pool and use your provider's servers instead. When

choosing your own or your provider'sservers, using more than one server isusefulto improve

precision and reliability. The usage of three independent servers isalmost always sufficient.

Adding more than three servers rarely results in additional improvements, while increasing the

total server load. Using both NTP Server Pool and your own or your provider's servers isnot

recommended because it will usually neither improve precision nor reliability.

Tip – If you want client computers to be able to connect to these NTP servers, add them to the

allowed networks on the Network Services > NTP page.

Test Configured Servers: Click this button if you want to test whether a connection to the

selected NTP server(s) can be established from your device and whether it returns usable time

50 UTM 9 WebAdmin



data. This will measure the time offset between your system and the servers. Offsetsshould

generallybe well below one second if your system is configured correctly and hasbeen oper-

ating in a stable state for some time.

Right after enabling NTP or adding other servers, it is normalto see larger offsets. To avoid

large time jumps, NTP will then slowly skew the system time, such that eventually, it willbecome

correct without anyjumping. In that situation, please be patient. In particular, in this case, do not

restart the system. Rather, return to check about an hour later. If the offsets decrease, all is

working as it should.

4.1.4 Shell Access

Secure Shell(SSH) is a command-line accessmode primarily used to gain remote shell access

to UTM. It is typically used for low-level maintenance or troubleshooting. To access this shell you

need an SSH client, which usuallycomes with most Linux distributions.

Allowed Networks

Use the Allowed networks control to restrict access to this feature to certain networks only. Net-

works listed here will be able to connect to the SSH service.

Authentication

In this section you can define an authentication method for SSH accessand the strictness of

access. The following authentication methods are available:

l Password (default)

l Public key

l Password and public key

To use this options activate the concerning checkmarks. To use Public Key Authentication you

need to upload the respective publickey(s) into the field Authorized keysfor loginuser for each

user allowed to authenticate via their public key(s).

Allow Root Login: You can allow SSH accessfor the root user. This option is disabled by

default as it leads to a higher security risk. When this option is enabled, the root user is able to

login via their public key. Upload the public key(s) for the root user into the field Authorized keys

for root .

Click Apply to save your settings.

UTM 9 WebAdmin 51





Shell User Passwords

Enter passwords for the default shell accountsrootand loginuser. To change the password

for one out of these two accounts only, just leave both input boxes for the other account blank.

Note – To enable SSH shell access, passwords must be set initially. In addition, you can only

specify passwords that adhere to the password complexity settings as configured on the Defin-

itions & Users > Authentication Services > Advanced tab. That is, if you have enabled complex

passwords, shell user passwords must meet the same requirements.

SSH Daemon L is ten Port

This option letsyou change the TCP port used for SSH. By default, this is the standard SSH port

22. To change the port, enter an appropriate value in the range from 1024 to 65535 in the Port

number box and click Apply .

4.1.5 Scan Settings

Ant ivi rus Engine Preferences

Select the antivirus engine which will be used in all single scan configurations throughoutWebAdmin. In dual scan configurations, both antivirus engines will be used. Note that dual scan

is not available with BasicGuard subscription. Click Apply to save your settings.

Advanced Threat Protect ion Opt ions

Select the Send suspiciouscontent to SophosLabs for analysis option to help improve pro-

tection. SophosLabsfeatures a cloud-based sandbox where the behavior of suspected mal-

ware can be automatically observed and analyzed. Thishelps ensure speedy delivery of pro-

tection updates directly to your UTM. Disabling this functionality may increase defense

response time.

All submissions are sent over a secure channel and are handled according to the SophosLabs

Information Security Policy.

4.1.6 Reset Configuration or Passwords

The options on the Reset Configuration or Passwords tab let you delete the passwordsof the

shell users. In addition, you can execute a factory reset, and you can reset the UTM's system ID.

52 UTM 9 WebAdmin

http://www.sophos.com/legal/sophoslabs-information-security-policy.aspx





Reset System Passwords

Executing the Reset System Passwords Now function will reset the passwords of the following

users:

l root (shelluser)

l loginuser (shell user)

l admin (predefined administrator account)

In addition, to halt the system, select the Shutdown system afterwards option.

Security Note – The next person connecting to the WebAdmin will be presented an AdminPassword Setup dialog window. Thus, after resetting the passwords, you should usually

quickly log out, reload the page in your browser, and set a new admin password.

Besides, shell access will not be possible anymore until you set new shell passwords on the Man-

agement > System Settings > Shell Access tab.

Factory Reset

The Run FactoryReset Now function resets the device back to the factory default configuration.

The following data willbe deleted:

l System configuration

l Web Filter cache

l Logs and reporting data

l Databases

l Update packages

l Licenses

l Passwords

l High availability status

However, the version number of Sophos UTM Software will remain the same, that is, all firm-

ware and pattern updates that have been installed willbe retained.

Note – Sophos UTM will shut down once a factory reset hasbeen initiated.

UTM 9 WebAdmin 53




4.2 WebAdmin Settings 4 Management

UTM ID Reset

With the Reset UTM ID Now function you reset the system ID of the UTM to a new, random

value. This is for example relevant when you use endpoint protection. Every UTM using end-

point protection identifies itself on Sophos LiveConnect with its unique system ID. When you for

example clone a virtual UTM using endpoint protection and want the clone to use it too, you

need to reset the cloned UTM's system ID so that it can afterwardsidentify with the new system

ID. During the reset, if turned on, endpoint protection will be turned off.

Note – Endpoints are connected to their UTM using the UTM system ID. If you reset the UTM

system ID and there is no other UTM listening on the old UTM ID, their endpointswill need to

be reinstalled.

Note – If a UTM is connected to Sophos UTM Manager, and you reset its UTM system ID, the

UTM willconnect as a new device. If necessary, you can merge the two devices.

4.2 WebAdmin SettingsThe tabs under Management > WebAdmin Settingsallow you to configure basic WebAdmin set-

tings such as access control, the TCP port, HTTPS certificates, user preferences, and the

WebAdmin language, among other things.

4.2.1 General

On the WebAdmin Settings > General tab you can configure the WebAdmin language and basic

access settings.

WebAdmin Language

Select the language of WebAdmin. The selected language will also be used for some

WebAdmin output, e.g., email notifications or the executive report. Note that this setting isglobal

and applies to all users. Click Apply to save your settings.

After changing the language, it might be necessary to empty your browser cache to make sure

that all texts are displayed in the correct language.

WebAdmin Access Conf igurat ion

Here you can configure which users and/or networks should have access to WebAdmin.

54 UTM 9 WebAdmin



Allowed Administrators: Sophos UTM can be administered by multiple administrators sim-

ultaneously. In the Allowed Administrator s box you can specify which users or groupsshould

have unlimited read and write access to the WebAdmin interface. By default, thisis the group of

SuperAdmins. How to add a user is explained on the Definitions & Users > Users & Groups >

Users page.

Allowed Networks: The Allowed Networks boxlets you define the networks that should be

able to connect to the WebAdmin interface. For the sake of a smooth installation of UTM, the

default isAny. This means that the WebAdmin interface can be accessed from everywhere.

Change this setting to your internalnetwork(s) as soon as possible. The most secure solution,

however, would be to limit the access to only one administrator PC through HTTPS. How to add

a definition isexplained on the Definitions & Users > Network Definitions > Network Definitions

page.

Log Access Traffic: If you want to log all WebAdmin access activities in the firewall log, select

the Log Access Traffic checkbox.

4.2.2 Access Control

On the WebAdmin Settings > AccessControl tab you can create WebAdmin roles for specific

users. Thisallows for a fine-grained definition of the rights a WebAdmin user can have.

There are two user roles predefined:

Auditor: Users having this role can view logging and reporting data.

Readonly: Users having this role can view everything in WebAdmin without being able to edit,

create, or delete anything.

To assign users or groups one of these roles, click the Edit button and add the respective user

(s) or group(s) to the Members box.

You can create further roles, according to your security policies. Proceed as follows:

1. On the Access Control tab, click New Role.

The Create Role dialog box opens.

2. Make the following settings:

Name: Enter a descriptive name for thisdefinition.

Members: Add or select users or groups who are to have this role. How to add a user is

explained on the Definitions & Users > Users & Groups > Users page.

UTM 9 WebAdmin 55

4 Management 4.2 WebAdmin Settings




Grant Read-Only Access (optional): Select this checkbox to grant read-only accessto

all areas of WebAdmin to the given members.

Rights: This box contains different rights levels for the different functions of WebAdmin:

auditor and manager. A manager has full administration rights for the respective function

(s), whereas an auditor hasonly viewing rights. You can choose one or more rights by

selecting the respective checkbox in front of a right.

Example: You could give the user Jon Doe manager rights for EmailProtection and addi-

tionally select the checkboxGrant read-only access. He would then be able to change set-

tings in the EmailProtection section and view all other areas of WebAdmin without being

able to change anything there.

Comment (optional): Add a description or other information.

3. Click Save.

Your settings will be saved.

To either edit or delete a role, click the corresponding buttons. Note that the Auditor and

Readonly roles cannot be deleted.

4.2.3 HTTPS CertificateOn the Management > WebAdmin Settings > HTTPS Certificate tab you can import the

WebAdmin CA certificate into your browser, regenerate the WebAdmin certificate, or choose a

signed certificate to use for WebAdmin and User Portal.

During the initial setup of the WebAdmin access you have automaticallycreated a local CA cer-

tificate on UTM. The public key of this CA certificate can be installed into your browser to get rid

of the securitywarnings when accessing the WebAdmin interface.

To import the CA certificate, proceed as follows:

1. On the HT TPS Certificate tab, click Import CA Certificate.

The public key of the CA certificate will be exported.

You can either save it to disk or install it into your browser.

2. Install the certificate(optional).

The browser will open a dialog box letting you choose to install the certificate immediately.

56 UTM 9 WebAdmin



Note – Due to different system times and time zones the certificate might not be valid directly

after its creation. In this case, most browsers will report that the certificate hasexpired, which

is not correct. However, the certificate will automatically become valid after a maximum of 24

hours and will stayvalid for 27 years.

Re-generate WebAdmin Cert if icate

The WebAdmin certificate refers to the hostname you have specified during the initial login. If

the hostname has been changed in the meantime, the browser will display a security warning.

To avoid this, you can create a certificate taking the new hostname into account. For that pur-

pose, enter the hostname as desired and click Apply . Note that due to the certificate change, to

be able to continue working in WebAdmin, you probably need to reload the page via your web

browser, accept the new certificate, and log backinto WebAdmin.

Choose WebAdmin/User Porta l Cert i ficate

If you do not want to import the CA certificate but instead use your own signed certificate for

WebAdmin and User Portal, you can select it here. However, for the certificate to be selectable

from the drop-down list, you need to upload it first on the Remote Access > Certificate Man-

agement > Certificates tab in PKCS#12 format, containing the certificate, its CA and its private

key. To use the uploaded certificate, select it from the Certificates drop-down list and click Apply .

4.2.4 User Preferences

On the Management > WebAdmin Settings > User Preferences tab you can configure some

user preferences such as globalshortcuts and items per page for the currently logged in user.

WebAdmin Shortcuts Configurat ion

Here you can configure keyboard shortcuts to open and close the drag-and-drop object listsused in many configurations (for more information see WebAdmin > Object Lists) or to set the

cursor focus on the menu search box (see also WebAdmin > WebAdmin Menu). Use the drop-

down list to select a different modifier key and the text box to enter a different character. You

can also turn off the keyboard shortcut by selecting Off fr om the drop-down list.

If you want to return to the default settings, click the Reset to Defaults button. Click Apply to save

your settings.

UTM 9 WebAdmin 57





Table Pager Opt ions

Here you can globally define the pagination of tables for WebAdmin, i.e. how many itemsare dis-

played per page. Click the drop-down list and select a value. Click Apply to save your settings.

WebAdmin Browser Tit le Customizat ion

Here you can change the label which is displayed on the WebAdmin browser window or tab.

You can enter plain text and/or use the following variables:

l %h: hostname

l %u: username

l %i: remote IP address

The default setting isWebAdmin - User %u - Device %hwhich translates for example into

WebAdmin - User admin - Device my_gateway.example.com. Click Apply to save your settings.

4.2.5 Advanced

WebAdmin Idle Timeout

Log Out After: In this field you can specify the period of time (in seconds) how long aWebAdmin session can remain idle before the administrator isforced to log in again. By default,

the idle timeout is set to 1,800 seconds. The range is from 60 to 86,400 seconds.

Log Out on Dashboard: By default, when you have opened the Dashboard page of

WebAdmin, the auto logout function is enabled. You can, however, select this option to disable

the auto logout function for Dashboard only.

WebAdmin TCP Port

By default, port4444 is used asWebAdmin TCP port. In the TCP Port box you can enter either

443or any value between1024and 65535. However, certain ports are reserved for other ser-

vices. In particular, you can never use port10443, and you cannot use the same port you are

using for the User Portal or for SSL remote access. Note that you must add the port number to

the IP address (separated by a colon) in the browser's address bar when accessing

WebAdmin, for examplehttps://192.168.0.1:4444

Terms of Use

Your company policies might demand that users accept terms of use when they want to accessWebAdmin. Select the checkbox Display "Terms of Use" After Login to enforce that users must

58 UTM 9 WebAdmin



accept the terms of use each time they log into WebAdmin. Users will then be presented the

terms of use after having logged in. If they do not accept them they will be logged out again.

You can change the terms of use text according to your needs. Click Apply to save your settings.

Sophos Adapt ive Learning

You can help improving Sophos UTM by allowing it to transfer anonymous general information

of your current configuration as well as information about detected viruses, or anonymous

application fingerprintsto Sophos. That kind of information cannot and will not be tracked back

to you. No user-specific information is collected, i.e., no user or object names, no comments, or

other personalized information. However, URLs for which a virus was found will be transmitted

if web filter antivirus scanning is enabled.

The information is encrypted and transmitted to SophosLabs using SSL. Once delivered, the

data isstored in an aggregated form and made available to Sophos' software architects for mak-

ing educated design decisions and thusimprove future versions of Sophos UTM.

Send anonymous t elematry data: If enabled, the UTM gathers the following information:

l Configuration and usage data: The system will send the following data to Sophos' serv-

ersonce a week.

l Hardware and license information (not the owner), for example:

processor Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz

memory 512MiB System Memory

eth0 network 82545EM Gigabit Ethernet Controller

id: UTM

version: 9.000000

type: virtual

license: standardmode: standalone

active_ips: 2

system_id: 58174596-276f-39b8-854b-ffa1886e3c6c

The system ID identifies your UTM only in the way that information of your system

is not accidentally collected twice, e.g. after a re-installation.

l Featuresin use (only whether they are turned on or off), for example:

main->backup->status: 1

UTM 9 WebAdmin 59





main->ha->status: off

l Amount of configured objects, for example:

objects->interface->ethernet: 2objects->http->profile: 5

l Enabled web filtering categoriesand exceptions

l CPU, memory and swap usage values in percent over the last seven days

l Virus data: The system writesthe following data into a file that will be uploaded auto-

matically to Sophos' servers every 15 minutes.

l Information about viruses found by web protection, for example threat name,

MIME type, URL of the request, or file size.

l Intrusion prevention data: The IPS log willbe checked every minute for new alerts. If

there is a new alert, the following data will be sent instantly to Sophos:

l Information about the alert, for example snort rule identifier and timestamp.

l Hardware and license information (not the owner), for example CPU total and

CPU usage, memory totaland memory usage, SWAP totaland SWAP usage, sys-

tem ID, engine version and pattern version.

The data is sent every24 hours.

l Advanced Threat Protection data: The system generates and uploads advanced threat

protection data every 30 minutes.

l Gathered information: system ID, timestamp, Sophos threat name, source IP, des-

tination host, detection component, detection detail, number of threats, rule iden-

tifier.

Send anonymous application accuracy telemetry data: You can help to improve the

recognition and classification abilities of network visibility and application control by participating

in the Sophos UTM AppAccuracy Program. If enabled, the system will collect data in form of

anonymous application fingerprints and will send that to Sophos' research team. There the fin-

gerprints will be used to identify unclassified applications and to improve and enlarge the net-

work visibility and application control library.

60 UTM 9 WebAdmin



4.3 LicensingThe availability of certain features on Sophos UTM isdefined by licenses and subscriptions,

i.e. the licenses and subscriptions you have purchased with your UTM enable you to use certain

features and others not.

4.3.1 How to Obtain a License

Sophos UTM ships with a 30-daytrial license with all features enabled. After expiration, you

must install a valid license to further operate Sophos UTM. All licenses (including free home uselicenses) are created in the MyUTM Portal.

Once you have received the activation keysby email after purchasing a UTM license, you must

use these keys in order to create your license or upgrade an existing license. To activate a

license, you have to log in to the MyUTM Portal and visit the license management page. At the

top of the page is a form where you can cut and paste the activation key from the email into this

field. For more information see the MyUTM User Guide.

Figure 8 MyUTM Portal

UTM 9 WebAdmin 61

4 Management 4.3 Licensing

http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sophos-myutm-user-guide-na_eng.pdf

https://myutm.sophos.com/




4.3 Licensing 4 Management

Another form appears asking you to fill in information about the reseller you purchased the

license from as well as your own details. The portal tries to pre-fillas much of this form as pos-

sible. Also, Sophos collects the UTM hardware serial number on thisform if appropriate. After

submitting this form, your license is created, and you are forwarded to the license detail page to

download the license file.

To actually use the license, you must download the license file to your hard drive and then log in

to your WebAdmin installation. In WebAdmin, navigate to the Management > Licensing > Install-

ation tab and use the upload function to find the license text file on your hard drive. Upload the

license file, and WebAdmin will process it to activate any subscriptions and other settings that

the license outlines.

Note – The activation key you received by email cannot be imported into WebAdmin. This key

is only used to activate the license. Only the license file can be imported to UTM.

4.3.2 Licensing Model

The modular licensing model of Sophos is very flexible. First, there is a base license, providing

basicfunctions for free (see table below). Second, there are six additional subscriptions:

l Network Protection

l Web Protection

l Email Protection

l Endpoint Protection

l Wireless Protection

l Webserver Protection

Those can be purchased separatelyor in combination according to your needs. The FullGuardlicense contains all subscriptions. Each of the subscriptions enables certain features of the

product. The table below gives you an overview which features are enabled with which sub-

scription.

62 UTM 9 WebAdmin



Feature Base

License

Network Web Email Endpoint Wireless Webserver

Management(Backup, Noti-

fications,

SNMP, SUM,

...)

Local

Authentication

(Users,

Groups)

Basic Net-

working

(Static Rout-

ing, DHCP,

DNS, Auto

QoS, NTP, ...)

Firewall/NAT

(DNAT,

SNAT, ...)

PPTP & L2TP

Remote

Access

Local Log-

ging, standard

executive

reports

Intrusion Pre-

vention (Pat-

terns, DoS,

Flood, Ports-

can ...)

UTM 9 WebAdmin 63





Feature Base

License


IPsec & SSLSite-to-site

VPN, IPsec &

SSL Remote

Access

Advanced Net-

working (Link

Aggregation,

link balancing,

Policy Rout-

ing, OSPF,

Multicast, cus-

tom QoS,

Server Load

Balancing,

Generic Proxy

...)

( ) ( )

User Portal

High Avail-

ability

Remote Auth

(AD, eDir,

RADIUS, ...)

Remote Log-

ging,

advanced

executive

reports

(archiving,

configuration)

Basic Web Fil-

tering & FTP

Proxy

64 UTM 9 WebAdmin



Feature Base

License


Web&FTPmalware fil-

tering

Application

Control

Basic SMTP

Proxy, Quar-

antine Report,

Mail Manager SMTP&

POP3 mal-

ware filtering

Endpoint Pro-

tection,

Antivirus

Endpoint Pro-

tection,Device Con-

trol

Wireless Pro-

tection

Webserver

Protection

There is also a BasicGuard subscription, available for UTM appliance model 100, which offers

its own subset of the above mentioned features (for more information visit the product

webpage).

UTMs can also be managed and licensed by Sophos UTM Manager (SUM). In this case, the

SUM provides the MSP (Managed Service Provider) license to the UTM, and the Installation

tab is disabled. Subscriptions can only be enabled by your SUM service provider.

For more detailed information on subscriptions and their feature set please refer to your cer-

tified UTM Partner or the Sophos UTM webpage.

Missing subscr iptions result in disabled tabs in WebAdmin. Above the tabs a licensing warning

message is displayed.

UTM 9 WebAdmin 65


http://www.sophos.com/en-us/products/unified/utm.aspx








Figure 9 Licensing: Subscription Warning Message

Up2Dates

Each subscription enables full automatic update support, i.e. you will be automatically informed

about new firmware updates. Also, firmware and pattern updates can be downloaded (and

installed) automatically.

A base license without any subscriptions supports only limited automatic updates: solely pattern

updates such as online help updates and the like willcontinue to be downloaded and installed

automatically. You will, however, not be informed about available firmware updates, and the

firmware updates have to be downloaded manually. Announcements for new firmware

updates can be found in the Sophos UTM Up2Date Blog.

Support and Maintenance

The base license comes with Web Support . You can use the Sophos UTM Support Forum and

the SophosKnowledgebase.

As soon as you purchase one of the subscriptions you will be automatically upgraded to Stand-

ard Support , where you can additionally open a support case in MyUTM Portal or contact your

certified UTM Partner.

There is also the possibility to purchase a Premium Support subscription, which offers 24/7 sup-

port with a UTM Engineer being your contact person.

66 UTM 9 WebAdmin

http://www.astaro.com/en-uk/blog/up2date





http://www.astaro.org/




4.3.3 Overview

The Licensing > Overview tab provides detailed information about your license and isdivided

into multiple areas:

l Base License: Shows basiclicense parameters such as ID, registration date, or type.

l Network Protection , Email Protection , Web Protection, Webserver Protection,

Wireless Protection, Endpoint AntiVirus, BasicGuard: These sectionsshow

information for subscriptions, such as whether they have been purchased and are there-

fore enabled, their expiration date, and a short description of the features they provide.

Note – When using MSP licensing, no expirations will be displayed, as licenses are man-

aged by Sophos UTM Manager (SUM). Traditional keys and subscriptions are

replaced with the SUM MSP system. For information about the managing SUM, see

Central Management > Sophos UTM Manager .

l Suppo rt Services:Shows the support level plus the date until it is valid.

4.3.4 InstallationOn the Management > Licensing > Installation tab you can upload and install a new license.

Note – When using MSP licensing, the tab is disabled, as licenses are managed by Sophos

UTM Manager (SUM). New licenses can be installed by your SUM service provider. For

information about the managing SUM, see CentralManagement > Sophos UTM Manager .

To install a license, proceed as follows:

1. Open the Upload File dialog window.

Click the Folder icon next to the License file box.

The Upload File dialog window opens.

2. Select the license file.

Browse to the directory where your license file resides.

Select the license file you want to upload.

UTM 9 WebAdmin 67




4.4 Up2Date 4 Management

3. Click Start Upload .

Your license file will be uploaded.

4. Click Apply .Your license will be installed. Note that the new license will automatically replace any

other license already installed.

The installation of the license will take approximately 60 seconds.

4.3.5 Active IP Addresses

The free Sophos UTM Manager license allows for unlimited IP addresses.

If you do not have a license allowing unlimited users (IP addresses), this tab displays information

on IP addresses covered by your license. IP addresses that exceed the scope of your license

are listed separately. If the limit is exceeded you will receive an email notification at regular inter-

vals.

Note – IP addresses not seen for a period of seven days will automatically be removed from

the license counter.

4.4 Up2DateThe Management > Up2Date menu allows the configuration of the update service of Sophos

UTM. Regularly installed updates keep your UTM up-to-date with the latest bug-fixes, product

improvements, and virus patterns. Each update isdigitally signed by Sophos—any unsigned or

forged update will be rejected. By default new update packages are automatically downloaded

to UTM. This option can be configured in the Management > Up2Date > Configuration menu.

There are two typesof updates available:

l Firmware upd ates: A firmware update contains bug-fixes and feature enhancements

for Sophos UTM Software.

l Pattern updates: A pattern update keeps the antivirus, antispam, intrusion prevention

definitions as well as the online help up-to-date.

In order to download Up2Date packages, UTM opens a TCP connection to the update servers

on port 443—allowing this connection without any adjustment to be made by the administrator.

68 UTM 9 WebAdmin



firewall in between, you must explicitly allow the communication via the port443TCPto the

update servers.

4.4.1 Overview

The Management > Up2Date > Overview tab provides a quickoverview whether your system is

up-to-date. From here, you can installnew firmware and pattern updates.

Up2Date Progress

Thissection isonly visible when you have triggered an installation process. Click the button

Watch Up2Date Progress in New Window to monitor the update progress. If your browser

does not suppress pop-up windows, a new window showing the update progress will be

opened. Otherwise you will have to explicitly allow the pop-up window.

Note – A backup will be sent to the standard backup email recipients before an installation pro-

cess isstarted.

Figure 10 Up2Date: Progress Window

UTM 9 WebAdmin 69

4 Management 4.4 Up2Date



4.4 Up2Date 4 Management

Firmware

The Firmware section shows the currently installed firmware version. If an update package is

available, a button Update to Latest Version Now is displayed. Additionally, you will see a mes-

sage in the Available Firmware Up2Dates section. You can directlydownload and install the

most recent update that is displayed from here. Once you have clicked Update To Latest Ver-

sion Now , you can watch the update progress in new a window. For this, click the Reload button

of WebAdmin.

Avai lable Firmware Up2Dates

If you have selected Manual on the Configuration tab, you can see a Check for Up2Date Pack-

agesNow button in thissection, which you can use to download firmware Up2Date packages

manually. If there are more than one Up2Dates available, you can select which one you are

going to install. You can use the Update to Latest Version Now button in the Firmware section if

you want to install the most recent version directly.

There is a Schedule button available for each Up2Date with which you can define a specific date

and time where an update is to be installed automatically. To cancel a scheduled installation,

click Cancel .

A note on "implicit" installations: There can be a constellation, where you schedule an Up2Datepackage which requires an older Up2Date package to be installed first. ThisUp2Date package

will be automatically scheduled for installation before the actualUp2Date package. However,

you can define a specifictime for this package, too, but you cannot prevent its installation.

Pattern

The Pattern section shows the current version of the installed patterns. If you have selected

Manual on the Configuration tab, you can see a Update Patterns Now button. Use this button to

download and install new patterns if available.

Note – The current pattern version does not need to be identical with the latest available pat-

tern version in order for the UTM unit to be working correctly. A deviation between the current

and the latest available pattern version might occur when new patterns are available, which,

however, do not applyto the unit you are using. What patterns are downloaded is dependent

on your settingsand hardware configuration. For example, if you do not use the intrusion pre-

vention feature of Sophos UTM, newly available IPS patterns will not be installed, thus increas-

ing the divergence between the currently installed and the latest available pattern version.

70 UTM 9 WebAdmin



4.4.2 Configuration

By default, new update packages are automatically downloaded to UTM.

Firmware Download Interval

This option isset to 15 minutes by default, that is Sophos UTM checks every 15 minutes for avail-

able firmware updates. Sophos UTM will automatically download (but not install) available firm-

ware update packages. The precise time when this happens is distributed randomly within the

limits of the selected interval. You can change the interval up to Monthly or you can disable auto-

matic firmware download by selecting Manual from the drop-down list. If you select Manual you

will find a Check for Up2Date Packages Now button on the Overview tab.

Pattern Download/Installat ion Interval

This option isset to 15 minutes by default, that is Sophos UTM checks every 15 minutes for avail-

able pattern updates. Sophos UTM will automatically download and install available pattern

update packages. The precise time when this happens is distributed randomlywithin the limits

of the selected interval. You can change the interval up to Monthly or you can disable automatic

pattern download and installation by selecting Manual from the drop-down list. If you select

Manual you willfind a Update Patterns Now button on the Overview tab.

4.4.3 Advanced

The Management > Up2Date > Advanced tab lets you configure further Up2Date options such

as selecting a parent proxy or Up2Date cache for your UTM.

Note – Update packagescan be downloaded from Sophos UTM FTP server .

Manual Up2Date Package Upload: If your UTM does not have direct access to the Internet

or an Up2Date cache to download new update packages directly, you can upload the update

package manually. To do so, proceed as follows:

1. Open the Upload File dialog window.

Click the Folder icon next to the Up2Date file box.


UTM 9 WebAdmin 71

4 Management 4.4 Up2Date

ftp://ftp.astaro.com/



4.5 Backup/Restore 4 Management

2. Select the update package.

Click Browse in the Upload File dialog window and select the update package you want to

upload.


The update package will be uploaded to UTM.

4. Click Apply .


Parent Proxy

A parent proxy is often required in those countries that require Internet access to be routed

through a government-approved proxy server. If your security policyrequires the use of a par-ent proxy, you can set it up here by selecting the host definition and port.

Use a parent proxy:

1. Select the checkbox to enable parent proxy use.

2. Select or add the host.

3. Enter the port of the proxy.

How to add a definition is explained on the Definitions & Users > Network Definitions >

Network Definitionspage.

4. Click Apply .


Proxy requires authentication: If the parent proxy requires authentication, enter username

and password here.

Note – The parent proxy is disabled when the optionUse ACC Server as Up2Date Cache is

enabled on the CentralManagement > Astaro Command Server tab.

If a parent proxy is configured, Sophos UTM fetchesboth firmware and pattern Up2Dates from

it.

4.5 Backup/RestoreThe backup restoring function allows you to save the UTM settingsto a file on a local disk. This

backup file allows you to install a known good configuration on a new or misconfigured system.

72 UTM 9 WebAdmin



Be sure to make a backup after every system change. This will ensure that the most current set-

tings are always available. In addition, keep your backups in a safe place, as it also contains

security-relevant data such as certificatesand cryptographic keys. After generating a backup,

you should always check it for readability. It is also a good idea to use an external program to

generate MD5 checksums, for this willallow you to check the integrity of the backup later on.

4.5.1 Backup/Restore

On the Management > Backup/Restore > Backup/Restore tab you can create backups, import

backups, as well as restore, download, send, and delete existing backups.

Available Backups

This section is only visible if at least one backup has been created before, either by the auto-

matic backup function or manually (see section Create Backup).

All backups are listed giving date and time of their creation, their UTM version number, the user

who created it, and the comment.

You can decide whether to download, restore, delete, or send a backup.

l Download: Opens a dialog window where you can decide to download the file encryp-

ted (provide password) or unencrypted. Click Download Backup. You are prompted to

select a location in the file system for the downloaded backup to reside.

o Encrypt before downloading: Before downloading or sending it, you have the

option to encrypt the backup. Encryption isrealized with Blowfish cipher in CBC

mode. Provide a password (second time for verification). You will be asked for this

password when importing the backup. The file extension for encrypted backups is

ebf, for unencrypted backupsabf.

Note – A backup does include administrator passwords, the high availability

passphrase if configured, as well as all RSA keysand X.509 certificates. Since

this information is confidential, it is good practice to enable encryption.

l Restore: Replaces the current system settings by the settingsstored in a backup. You

will have to log in again afterwards. If the selected backup contains all data you can log in

directly. If the selected backup does not contain all data (see section Create Backup) you

will have to enter the necessary data during the login procedure. If onlythe host data has

UTM 9 WebAdmin 73

4 Management 4.5 Backup/Restore




been removed in the selected backup you can add an additional administrative email

address if you want. It will be used where no recipient is given and as additional address

where multiple recipients are possible.

Note – Backup restoration isonly backward compatible. Onlybackups from versions

smaller than the current one are considered functional.

o Restoring backups from USB flash drive: You can also restore unencrypted

backup files (file extension abf) from a FAT formatted USB flash drive such as a

simple USB stick. To restore a backup from a USB flash drive, copy the backup file

to the USB flash drive and plug the device into Sophos UTM prior to boot up. If sev-

eral backup files are stored on the device, the lexicographically first file will be used

(numbers precede letters). For example, suppose the backup filesgateway_

backup_2012-04-17.abf and 2011-03-20_gateway_backup.abf are both

stored on the USB flash drive. During the boot up, the second file will be used

because it begins with a number, although it is much older than the other one.

In addition, a lock file is created after the successful recovery of a backup, pre-

venting the installation of the same backup over and over again while the USB

flash drive is still being plugged in. However, if you want to install a previousbackup

once again, you must first reboot with no USB flash drive plugged in. This will

delete all lock files. When you now boot with the USB flash drive plugged in again,

the same backup can be installed.

l Delete: Deletes a backup from the list. Using the Delete icon on the bottom of the list, you

can delete all selected backups. To select backups, clickthe checkboxes to the left of the

backupsor use the checkbox on the bottom to select all backups.

l Send: In a dialog window you can specify the email recipients. By default, the address

(es) provided on the Automatic Backups tab are selected. Then decide if you want tosend the file encrypted (provide password) or unencrypted. Click Send Now to send the

backup.

o Encrypt before sending: See Encrypt before downloading above.

Create Backup

Backups are not only usefulto restore your system after an (unwanted) change or failure.

Moreover, they can be used as templates to set up systemsthat should have a similar con-

figuration so that those systems are already pre-configured in some way which can save you a

74 UTM 9 WebAdmin



lot of time. For that, you can strip certain information from a backup before it is created, e.g. host-

name, certificates, etc.

To create a backup with the current system state, proceed as follows:

1. In the Create Backup section, enter a comment (optional).

The comment will be displayed along with the backup in the backup list.

2. Make the following settings (optional):

Remove unique site data: Select this option to create the backup without host-specific

data. Thisincludes hostname, system ID, SNMP data, HA data, license, shell user pass-

words, and anonymization passwords as well as all certificates, public and private keys,

fingerprints and secrets of EmailProtection, Web Protection, Client Authentication,

IPsec, SSL VPN, RED, WebAdmin, Web Application Firewall, and proxies.

Such backups are a convenient means to set up multiple similar systems. There are

some things to consider though: 1) After restoring you are presented the basicsystem

setup. 2) Only the first interface is configured, the primary IP address being the one that

has been configured during installation. All other interfaces will be disabled and set to IP

address 0.0.0.0.

Caution – Although most of the host-specific data is being removed, such a backup

template still contains confidential information, such as user passwords. Therefore it is

good practice to always encrypt it.

Remove administrative mail addresses: Select this option to additionally remove the

administrator email addresses used in various parts of UTM, e.g. postmaster addresses

in EmailProtection, notifications, etc. This option is especially usefulfor IT partners who

set up Sophos UTM devices at customers' sites.

3. Click Create Backup Now .

The backup appears in the list of available backups.

If a backup iscreated with one or both of the optionsselected, the backup entry contains

a respective additional comment.

Import Backup

To import a backup, proceed as follows:

1. Click the Folder icon and select a backup file to upload.


UTM 9 WebAdmin 75

4 Management 4.5 Backup/Restore




3. Decrypt the backup.

If you want to upload an encrypted backup file, you must provide the correct passphrase

prior to importing the backup.

4. Click Import Backup to import the backup.

Note that the backup will not instantly be restored. Instead, it will be added to the Avail-

able Backups list.

4.5.2 Automatic Backups

On the Management > Backup/Restore > Automatic Backup tab you can configure several

options dealing with the automatic generation of backups. To have backups created auto-matically, proceed as follows:

1. Enable automatic backups on the Automatic Backups tab.

Click the toggle switch.

The toggle switch turns green and the Options and Send Backups by Email areas

become editable.

2. Select the interval.

Automatic backups can be created at various intervals.

You can choose between daily, weekly, and monthly.

3. Specify the maximum number of backups to b e stored.

Automatically created backups are stored up to the number you enter here. Once the

maximum has been reached, the oldest automatic backups will be deleted.

Note that this applies to automatically created backups only. Backups created manually

and backups created automatically before a system update will not be deleted.

4. Click Apply .Your settings will be saved.

To save you the work of backing up your UTM manually, the backup feature supports emailing

the backup file to a list of defined email addresses.

Recipients: Automatically generated backups will be sent to users contained in the Recipients

box. Multiple addresses can be added. By default, the first administrator's email address is

used.

Encrypt email backups: In addition, you have the option to encrypt the backup (Triple DESencryption).

76 UTM 9 WebAdmin



Password: Once you have selected the Encrypt emailbackups option, provide a password

(second time for verification). You will be prompted for this password when importing the

backup.

Automatically created backups will appear in the Available Backups list on the Backup/Restore

tab, marked with theSystem flag indicating the Creator . From there, they can be restored,

downloaded, or deleted as any backup you have created by yourself.

4.6 User PortalThe User Portalof Sophos UTM is a special browser-based application on the unit providing

personalized email and remote access services to authorized users. It can be accessed by

browsing to the URL of Sophos UTM, for example,https://192.168.2.100 (note the

HTTPS protocol and the missing port number 4444you would normallyenter for accessing the

WebAdmin interface).

Among other things, the User Portal contains the email quarantine, which holds messages that

are infected by malicious software, contain suspicious attachments, are identified as spam, or

contain certain expressions you have explicitly declared forbidden.

On the login page, users can select a language from the drop-down list located on the right sideof the header bar.

Figure 11 User Portal: Welcome Page

On the User Portal, users have access to the following services:

UTM 9 WebAdmin 77

4 Management 4.6 User Portal



4.6 User Portal 4 Management

l SMTP Quarantine: Users can view and release messagesheld in quarantine. Which

types of messages they are allowed to release can be determined on the EmailPro-

tection > Quarantine Report > Advanced tab. (The tab is called Mail Quarantine when

POP3 is disabled.)

l SMTP Log: Here, users can view the SMTP log of their mail traffic. (The tab is called

Mail Log when POP3 is disabled.)

l POP3 Quarantine: Users can view and release messagesheld in quarantine. Which

types of messages they are allowed to release can be determined on the EmailPro-

tection > Quarantine Report > Advanced tab. (The tab is called Mail Quarantine when

SMTP is disabled.)

l

POP3 Accoun ts: Users can enter their credentials of POP3 accounts theyuse. Onlythose spam emails will appear in the User Portal for which POP3 account credentials are

given. A user for whom POP3 account credentials are stored will receive an individual

Quarantine Report for each email address. Note that allowed POP3 servers must be spe-

cified on the EmailProtection > POP3 > Advanced tab.

l Sender Whitelist: Here, senders can be whitelisted, thus messagesfrom them are not

regarded as spam. However, emailswith viruses or unscannable emailswill still be quar-

antined. Whitelisted senders can be specified by either entering valid email addresses

(e.g., [email protected]) or all email addresses of a specificdomain using an asterisk

as wildcard (e.g.,*@example.com). If a Whitelist entry matches exactly, the sender black-

list check will be skipped.

l Sender Blacklist: Here, users can blacklist email senders, e.g.

[email protected], or whole domains, e.g. *@hotmail.com. The blacklist is

applied to both SMTP and POP3 email, if these are in use on the system. Blacklisted

senders can be specified by clicking the Plus icon, entering the address and clicking the

Tickicon to save it.

l Hotspots: Here, users can find and manage access data for hotspots. The tab is only

available if at least one hotspot has been enabled for the specific user. For hotspots of the

type password-of-the-day, the current password is available and can be changed. For

hotspots of the type voucher, vouchers can be generated, printed, exported, and

deleted. A list of generated vouchers shows information on their usage. For more inform-

ation see Wireless Protection > Hotspots.

l Client Authent ication: Here, users can download the setup file of Sophos Authentic-

ation Agent (SAA). The SA A can be used as authentication mode for the Web Filter. The

Client Authentication tab is only available if Client Authentication isenabled. For more

information see Definitions & Users > Client Authentication.

78 UTM 9 WebAdmin



l OTP Token: Here, users find one or more QR codes and the respective detail inform-

ation for configuring the UTM's one-time password service on their mobile devices. For

more information see Definitions & Users > Authentication Services > One-time Pass-

word .

l Remote Access: Users can download remote access client software and configuration

files provided for them. However, the Remote Access tab is only available if at least one

remote access mode has been enabled for the specific user.

l HTML5 VPN Portal: Here, users can open VPN connectionsto predefined hosts using

predefined services. The tab is onlyavailable if at least one VPN connection has been

enabled for the specificuser. For more information see Remote Access> HTML5 VPN

Portal .

l Change Password: Userscan change the password for accessing the User Portal.

l HTTPS Proxy: Users can import the HTTP/S Proxy CA certificate to get rid of error mes-

sageswhen visiting secure websites. After clicking Import Proxy CA Certificate, users will

be prompted by their browser to trust the CA for different purposes. For more inform-

ation see Web Protection > Filtering Options > HTTPS CAs.

l Log out: Click here to log out of the User Portal. Thisisonly necessary when you have

selected Remember My Login at login (which creates a cookie) and you want to explicitly

logout and have this cookie deleted. Otherwise, there is no need to use the Log out link—closing the browser tab or window issufficient.

4.6.1 Global

On the Management > User Portal > Global tab you can enable the User Portal. Additionallyyou

can specify which networks and which users should be granted access to the User Portal.

To enable User Portal access, proceed as follows:

1. Enable the User Portal.


The toggle switch turns amber and the End-User Portal Options area becomes editable.

2. Select the allowed networks.

Add or select the networks that should be allowed to access the User Portal. How to add

a definition isexplained on the Definitions & Users > Network Definitions> Network Defin-

itions page.

UTM 9 WebAdmin 79

4 Management 4.6 User Portal



4.6 User Portal 4 Management

3. Select the allowed users.

Select the users or user groups or add new users that should be able to access the User

Portal. How to add a user is explained on the Definitions& Users > Users & Groups>

Users page.

If you do not want to grant access to all users, unselect the Allow all users checkboxand

select the users and user groups individually.

4. Click Apply .


4.6.2 AdvancedOn the Advanced tab you can configure an alternative hostname and port number for the User

Portal as well as language and security options.

Language

During login, the User Portal fetchesthe language settingsof the web browser and loads the

respective locales to display the portal in the same language as the browser defaults. For

browser language settings that are not available for the User Portal, you can select here which

language will be the fallback language. Users have additionallythe option to select a languageon the User Portal login page.

Security

The User Portal uses cookies to track sessions. Persistent cookies permit to return after having

closed a session without having to log in again. They can always be deleted from user-side, how-

ever, by using the Log Out button of the User Portal.

Disable Por ta l Items

For the features listed here a menu item is displayed in the User Portal when the respective fea-

ture hasbeen enabled in WebAdmin. However, here you can define menu items that should not

be displayed in the User Portal. To do so, select the respective option(s) and click Apply .

Network Sett ings

Hostname: By default, this is UTM's hostname as given on the Management > System Settings

> Hostname tab. However, if you want to grant access to the User Portal for users gaining

accessover the Internet, it might be necessary to enter an alternative hostname here that can

be publicly resolved.

80 UTM 9 WebAdmin



Listen Address: Default value is Any . When using the web application firewall you need to

give a specificinterface address for the service to listen for User Portal connections. Thisis

necessary for the User Portal connection handler and the web application firewall to be able to

differentiate between the incoming SSL connections.

Port: By default, port443 for HTTPS is selected. You can change the port to any value in the

range from1024 to 65535. Note that you cannot select either 10443or the WebAdmin TCP

Port , which is configured on the Management > WebAdmin Settings > Advanced tab. Independ-

ent of the defined port, the User Portalcan always be accessed via HTTPS only.

Welcome Message

You can customize the welcome message of the User Portal. Simple HTML markup and hyper-

links are allowed.

Note – Changing the welcome message is not possible when using a home use license.

4.7 NotificationsSophos UTM comeswith a notification feature that informs you immediately about all sorts of

security-relevant events occurring on UTM, either by email or SNMP trap. All eventsthat might

possibly be of interest to an administrator are represented by variouserror, warning, and

information codes. What notifications are sent depends on the selection you have configured on

the Notificationstab.

4.7.1 Global

On the Management > Notifications > Global tab you can configure the sender address (i.e., the

From address) to be taken for notification emailssent by UTM. By default, this isdo-not-

[email protected]. If you want to change thisaddress, it isadvisable to enter an email

address of your domain, as some mail servers might be configured to check whether a given

sender address really exists.

In addition, you can specify the recipients of UTM notifications. By default, thisis the admin-

istrator's email address you had entered during the initial setup.

Limit Notifications: Some security-relevant events such as detected intrusion attempts will

create a lot of notifications, which may quickly clog the notification recipients' email inboxes. For this reason, Sophos UTM has sensible default values to limit the number of notifications sent per

UTM 9 WebAdmin 81

4 Management 4.7 Notifications



4.7 Notifications 4 Management

hour. If you disable this option, every security-relevant event will create a notification, provided

the event is configured so as to send a notification on the Management > Notifications > Noti-

fications tab.

Device Spec ific Text

Here you can enter a description of Sophos UTM, e.g. its location, which will be displayed in the

notifications sent.

4.7.2 Notifications

Notifications are divided into three categories:

l CRIT: Messages informing about critical events that might render UTM inoperable.

l WARN: Warnings about potential problems that need your attention, for example,

exceeding thresholds.

l INFO: Merely informational messages such as the restart of a system component, for

example.

You can select whether you want to send the notification as email or SNMP trap.

4.7.3 Advanced

In case your UTM cannot send emails directly, you can configure a smarthost to send the

emails. Proceed as follows:

1. Enable External SMTP Server Status on the Management > Notifications >

Advanced tab.


2. Enter your smarthost.You can use drag-and-drop. The port is preset to the default SMTP port25.

l Use TLS: Select this checkbox if you want to enforce TLS when sending noti-

fications. Note that notifications will not be sent if the smarthost does not support

TLS.

3. Specify the authentication settings.

If the smarthost requires authentication, check the Authentication checkbox and enter

the corresponding username and password.

82 UTM 9 WebAdmin



4. Click Apply .

Your settingswill be saved.

4.8 CustomizationThe tabs under Management > Customizationallow you to customize and localize email noti-

fications and status messagescreated by Sophos UTM, making it possible to adapt those mes-

sages to both your policy and your corporate identity.

In addition, you can edit and upload custom web templates to further change the way that users

receive block messages and other notifications.

Note – Customization is not possible when using a home use license.

4.8.1 Global

On the Management > Customization > Global tab you can customize global display options for

the system messages presented to users. Note that UTF-8/Unicode is supported.

The example below shows the customizable global options (Company Logo and Custom Com-

pany Text ), along with an example of a "Content Block" message, which isconfigured on the

Management > Customization > Web Messages page.

Figure 12 Customization: Example Blocked Page and Its Customizable Parts

UTM 9 WebAdmin 83

4 Management 4.8 Customization



4.8 Customization 4 Management

Company Logo

You can upload your own logo/banner (inpng format only), which is used in the following con-

texts:

l Web messages

l POP3 blocked messages

l Quarantine release status messages (which will appear in the Quarantine Report after a

spam email has been released from the quarantine or whitelisted.)

l Quarantine Report

Some of the messages displayed to users have been optimized for the default logo (195 x 73pixels with a transparent background). For the best-looking results, use an image that has the

same attributes.

To upload a logo:

1. Open the Upload file dialog window.

Click the Folder icon next to the Upload new logo box.

The Upload file dialog window opens.

2. Select the logo.

Browse to the location where the logo that you want to upload resides.

Once you have selected the logo, click Start Upload .

3. Click Apply .

The logo will be uploaded, replacing the file that is already installed.

Custom Company Text

Customize the message that will be displayed beneath the company logo whenever a website

was blocked by the virus scanner or the content filter of Sophos UTM. For example, you might

want to enter the administrator'scontact data here.

4.8.2 Web Messages

Customize the text for web filtering messages displayed by Sophos UTM. Some messages are

displayed when users are restricted from downloading files that are too large, are of a certain

type, or contain a virus. Other messages are displayed when users attempt to access restricted

websites or applications, while users are downloading files, or when users are required to

84 UTM 9 WebAdmin



authenticate with the UTM. You can translate messages into other languages or, for example,

modify the messages to show customer support contact information.

Note – The text entered in the fields of the Web Messages tab can be referenced in custom

web templates. For more information, see Web Templates.

The following messages are configurable:

Content Block

l Surf Protection: This message is displayed when a user attempts to access a webpage

whose URL matches a category that isconfigured to be blocked or the site's reputation

fallsbelow the specified threshold. For more information, see Web Protection > Web Fil-tering .

l Blacklist: This message is displayed when a user attempts to retrieve a webpage that

matches a blacklisted URL. To blacklist URLs, see Web Protection > Web Filtering >

Policies> Website Filtering .

l MIME Type: This message is displayed when a user requests a file that is a blocked

MIME type. For more about specifying MIME types, see Web Protection > Web Filtering

> Policies > Downloads.

l File Extension: This message is displayed when a user requests a blocked file exten-

sion. For more about specifying file extensions, see Web Protection > Web Filtering >

P olicies > Dow nloads.

l File Size: This message is displayed when a user requests a file that exceedsthe file size

limit. To configure download size limits, see Web Protection > Web Filtering > Policies >

Downloads.

l Application Control: This message is displayed when a user attempts to use a type of

network traffic that is configured to be blocked by Application Control. For more inform-ation on Application Control, see Web Protection > Application Control .

l Virus Detected: This message is displayed when a file is blocked due to a virus infection.

For more information on configuring virus protection, see Web Protection > Web Filtering

> Policies > Antivirus.

Download/Scan

l Download in Progress: This message isdisplayed while a file isbeing downloaded.

See Download Manager .

UTM 9 WebAdmin 85





l Virus Scan in Progress: This message isdisplayed while the UTM scans files for mali-

cious content. See Download Manager .

l Download Complete: This message isdisplayed after a file has been fullydownloaded,

scanned, and determined safe. See Download Manager .

Authentication

l Transparent Mode Authent ication: This option only applies if you use Web Filtering

in Transparent Mode, and you have selected the "Browser" authentication mode. For

more information, see Web Protection > Web Filter Profiles > Filter Profiles. The text is

displayed on the authentication page, where users must log in before using the Web Fil-

ter. If the Terms of Use field is filled in, a disclaimer is displayed on the authentication

page. If this field is empty (as it is by default), a disclaimer is not displayed.

l Bypass Content Block:This message is displayed when a page is blocked by Surf Pro-

tection and the option to bypass blocking option isenabled (see Web Protection > Fil-

tering Options > BypassUsers).Ifthe Terms of Use field is filled in, a disclaimer is

displayed on the authentication page. If this field is empty (as it is by default), a disclaimer

is not displayed.

Error

l Server Error:This message isdisplayed if an error occurs while processing the user's

request.

Administrator Information: Here you can enter information about the administrator man-

aging the Web Filter, including the administrator'semail address.

4.8.2.1 Modifying a Web Message

To modify a Content Block, Download/Scan, Authentication, or Error message:

1. Select the message.

From the Page drop-down list, select the end user message that you want to edit.

The Subject and Description for that message are displayed.

2. Modify the Subject and/or Description.

Modify the default text as necessary.

3. Click Apply .

The text changes are saved.

86 UTM 9 WebAdmin



4.8.2.2 Download Manager

If the Web Filter is enabled, the web browser will display the following download pages whiledownloading content greater than 1 MB in size that is neither text nor an image. The download

page will not be displayed when video or audio streams are requested or more than 50 % of the

file has been downloaded within five seconds.

The information provided on the download pages can be customized on the Web Messages

tab.

Figure 13 Customization: HTTP Download Page Step 1 of 3: Downloading File

Figure 14 Customization: HTTP Download Page Step 2 of 3: Virus Scanning

UTM 9 WebAdmin 87





Figure 15 Customization: HTTP Download Page Step 3 of 3: File Download Completed

4.8.3 Web Templates

To customize both the appearance and content of messages that are displayed to users, you

can upload HTML files to Sophos UTM. As a guide, Sophos providesseveral sample tem-

plates.These templates show you how to use variables that can dynamically insert information

that is relevant for individualuser messages. For example, if a file is blocked because it contains

a virus, you can include a variable that inserts the name of the virus that was blocked.

4.8.3.1 Customizing Web Templates

Caution – Customizing Sophos UTM notifications isan advanced topic. Only those with suf-

ficient knowledge of HTML and JavaScript should attempt these tasks.

You can upload custom versions of Sophos UTM notifications, including block messages, status

messages, error messages, and authentication prompts. The four sample templates contain

working examples of variables as well as several sample images. Either use the sample tem-plates as a basis for your custom messages and notifications or upload your own HTML files.

Valid variables are described in Using Variables in UTM Web Templates in the Sophos Know-

ledgebase.

If you want to use the text from a message configured on the Web Messages tab, you can insert

the appropriate variable in your custom template. For more information, see Web Messages.

To download the sample templates and images, clickthe link below, and save the .zip file:

http://www.astaro.com/lists/Web_Templates.zip

88 UTM 9 WebAdmin


http://www.astaro.com/lists/Web_Templates.zip






4.8.3.2 Uploading Custom Web Templates and Images

Once you have edited and saved your custom template, you are ready to upload it to the UTM.

To upload a web template or image:


Click the Folder icon next to the name of the type of template that you want to upload, or

click the Folder icon next to Images if you want to upload an image.

Note – The supported file typesare .png,.jpg, .jpeg, and.gif.

The Upload file dialog window opens.

2. Select the template or image.

Browse to the location of the template or image that you want to upload.

Once you have selected the template or image, click Start Upload .

The Upload file dialog window closes.

3. Click Apply .

The template or image will be uploaded.

4.8.4 Email Messages

Customize the text that is displayed in user messages generated by the SMTP/POP3 proxies of

Sophos UTM. You can translate these messagesinto other languages or modify them to show

customer support contact information, for example. The following messages can be cus-

tomized:

Quarantine

Email released from quarantine: This message isshown when an email was successfully

released from the quarantine.

Error on releasing email from quarantine: This message is shown when an error occurred

while releasing an email from the quarantine.

POP3

POP3 message blocked: This message is sent to the recipient when a POP3 email messagewas blocked.

UTM 9 WebAdmin 89




4.9 SNMP 4 Management

Figure 16 Customization: POP3 Proxy Blocked Message

4.9 SNMPThe Simple Network Management Protocol (SNMP) is used by network management systems

to monitor network-attached devices such as routers, servers, and switches. SNMP allows the

administrator to make quickqueries about the condition of each monitored network device. You

can configure Sophos UTM to reply to SNMP queriesor to send SNMP traps to SNMP man-

agement tools. The former is achieved with so-called management information bases(MIBs).

An MIB specifies what information can be queried for which network device. Sophos UTM sup-

ports SNMP version 2 and 3 and the following MIBs:

l DISMAN-EVENT-MIB: Event Management Information Base

l HOST-RESOURCES-MIB: Host Resources Management Information Base

l IF-MIB: Interfaces Group Management Information Base

l IP-FORWARD-MIB: IP Forwarding Table Management Information Base

l IP-MIB: Management Information Base for the Internet Protocol (IP)

l NOTIFICATION-LOG-MIB: Notification Log Management Information Base

l RFC1213-MIB: Management Information Base for Network Management of TCP/IP-

based Internet: MIB II

l SNMPv2-MIB: Management Information Base for the Simple Network Management

Protocol (SNMP)

l TCP-MIB: Management Information Base for the Transmission Control Protocol (TCP)

l UDP-MIB: Management Information Base for the User Datagram Protocol (UDP)

90 UTM 9 WebAdmin



In order to get Sophos UTM system information, an SNMP manager must be used that hasat

least the RFC1213-MIB (MIB II) compiled into it.

4.9.1 Query

On the Management > SNMP > Query page you can enable the usage of SNMP queries.

To configure SNMP queries, proceed as follows:

1. Enable SNMP Queries.


The sectionsSNMP Version and SNMP Access Control become editable.

2. Select the SNMP version.

In the SNMP Version section, select a version from the drop-down list. SNMP version 3

requires authentication.

3. Select allowed networks.

Networks listed in the Allowed Networks box are able to querythe SNMP agent running

on Sophos UTM. Note that the accessis always read-only.

l Communit y String: When using version 2, enter a community string. An SNMP

community string acts as a password that is used to protect access to the SNMPagent. By default, the SNMP community string is"public", but you can change it to

any setting that best suits your needs.

Note – Allowed characters for the community string are: (a-z), (A-Z), (0-9), (+),

(_), (@), (.), (-), (blank).

l Username/Password: When using version 3, authentication is required. Enter a

username and password (second time for verification) to enable the remote admin-istrator to send queries. The password must have at least eight characters. SNMP

v3 uses SHA for authentication and AES for encryption. Note that username and

password are used for both of them.

4. Click Apply .


Furthermore, you can enter additional information about UTM.

UTM 9 WebAdmin 91

4 Management 4.9 SNMP



4.9 SNMP 4 Management

Device Information

The Device Information text boxes can be used to specify additional information about UTM

such as its name, location, and administrator. This information can be read by SNMP man-

agement tools to help identify UTM.

Note – All SNMP traffic (protocol version 2) between UTM and the Allowed Networks isnot

encrypted and can be read during the transfer over public networks.

Astaro Noti fi er MIB

This section allows you to download the Astaro MIB which contains the definitionsof the Sophos

UTM notification SNMP traps. For historical reasons the MIB uses the Astaro Private Enterprise

Code (SNMPv2-SMI::enterprises.astaro).

4.9.2 Traps

In the Traps tab you can define an SNMP trap server to which notifications of relevant events

occurring on UTM can be sent as SNMP traps. Note that special SNMP monitoring software is

needed to display those traps.

The messagesthat are sent as SNMP traps contain so-called object identifiers (OID), for

example, .1.3.6.1.4.1.9789, which belong to the private enterprise numbers issued by

IANA. Note that.1.3.6.1.4.1 isthe iso.org.dod.internet.private.enterprise pre-

fix, while 9789 is Astaro's Private Enterprise Number . The OID for notification eventsis1500, to

which are appended the OIDs of the type of the notification and the corresponding error code

(000-999). The following notification types are available:

l DEBUG = 0

l INFO = 1

l WARN = 2

l CRIT = 3

Example: The notification "INFO-302: New firmware Up2Date installed" will use the OID

.1.3.6.1.4.1.9789.1500.1.302 and has the following string assigned:

[<HOST>][INFO][302]

92 UTM 9 WebAdmin

http://www.iana.org/



Note that<HOST> is a placeholder representing the hostname of the system and that only type

and error code from the notification's subject field are transmitted.

To select an SNMP v2c trap server, proceed as follows:

1. Click New SNMP Trap Sink .

The Create New SNMP Trap Sink dialog box opens.


SNMP Version: Select SNMP v2c from the drop-down list.

Host: The host definition of the SNMP trap server.

Community: An SNMP community string acts as a password that is used to protect

access to querying SNMP messages. By default, the SNMP community string is set to"public". Change it to the string that is configured on the remote SNMP trap server.

Note – Allowed characters for the community string are: (a-z), (A-Z), (0-9), (+), (_),

(@), (.), (-), (blank).


3. Click Save.

The new SNMPtrap server will be listed on the Traps tab.

The SNMP version 3 requires authentication. To select an SNMP v3 trap server, proceed as fol-

lows:

1. Click New SNMP Trap Sink .

The Create New SNMP Trap Sink dialog box opens.


SNMP Version: Select SNMP v3 from the drop-down list.

Host: The host definition of the SNMP trap server.

Username: Enter username for authentication.

Authentication type: Select authentication type from the drop-down list.

Password: Enter password for authentication.

Repeat: Repeat password for authentication.

Encryption type: Select encryption type from the drop-down list.

Password: Enter password for encryption.

UTM 9 WebAdmin 93

4 Management 4.9 SNMP



4.10 CentralManagement 4 Management

Repeat: Repeat password for encryption.

Engine ID: Enter the Engine ID.


3. Click Save.

The new SNMP trap server will be listed on the Traps tab.

4.10 Central ManagementThe pages of the Central Management menu let you configure interfaces to management tools

that can be used to monitor or remotely administer the gateway.

4.10.1 Sophos UTM Manager

Sophos UTM Manager (SUM) is Sophos' central management product. You can connect sev-

eralUTM appliances to a SUM where they centrally can be monitored, configured and main-

tained. SUM 4.2 supports configuring UTM 9.2 only. Other UTM versions will appear in SUM as

well and can be monitored. If for example a UTM 9.2 connects with a SUM 4.1 it falls into legacy

mode. Then backups and up2date installations are still allowed.

On this tab, you can configure the connection of your UTM to one or two SUMs.

Note – When using MSP licensing, disabling SUM, changing the SUM host, or modifying the

rights of the SUM administrator can only be done by Sophos UTM Manager (SUM).

To prepare Sophos UTM to be monitored by a SUM server, proceed as follows:

1. On the Sophos UTM Manager tab, enable SUM.


The toggle switch turns amber and the SUM Settings area becomes editable.

2. Specify the SUM host .

Select or add the SUM server UTM should connect to. How to add a definition is

explained on the Definitions & Users > Network Definitions > Network Definitions page.

94 UTM 9 WebAdmin



l Authentication (optional): If the SUM server requires authentication, select this

option and enter the same password (shared secret) as configured on the SUM

server.

l Use SUM server as Up2Date cache(optional): Up2Date packages can be

fetched from a cache located on the SUM server. If you want to use this func-

tionality for your gateway, select the option Use SUM server as Up2Date cache.

Please ensure that on your managing SUM server the Up2Date cache func-

tionality is enabled accordingly. Note that usage of the Up2Date cache functionality

is mutuallyexclusive with using a parent proxy configuration for Up2Dates.

3. Define the rights of the SUM administrator.

On SUM, the administrator responsible for this UTM can only administer those areas of your UTM which are explicitly allowed to be administered here. The rights listed here cor-

respond to the SUM GatewayManager main menu and administrative options.

Administration: If selected, the administrator can use all features located in the Main-

tenance and Management menus. He can, for example, view the inventory, create and

restore backups, and schedule actions like firmware updates.

Reporting: If selected, the administrator can use all features located in the Reporting

menu. He can, for example, request reports from UTM.

Monitoring: If selected, UTM will be displayed on the Monitoring pages and the admin-

istrator can use all associated features.

Configuration: If selected, the administrator can use all features located in the Con-

figuration menu. He can, for example, deploy objects (networks, hosts, VPNs) to UTM.

Note – Please refer to the SophosUTM Manager Administration Guide for detailed

information.

4. Click Apply .


UTM willnow try to establish a connection to Sophos UTM Manager. Once the con-

nection between both systems isestablished, the connection status will turn green. Then

UTM can be monitored and administered by the SUM server selected here. You will be

able to see the current connection status and health in the SUM Health section. Reload-

ing the page will update this data. Please use the Open Live Log button and read carefully

the messagesfrom the message board to be able to diagnose connection problems

should they occur.

UTM 9 WebAdmin 95

4 Management 4.10 Central Management



4.10 CentralManagement 4 Management

Se tt ings for a Second SUM

In this section, you can optionallyadd a second SUM. This is useful in case for example you do

the configuration by yourself (first SUM server) but want your machines still to be monitored by

a third party, e.g. your MSSP (second SUM server). The settingsare almost identical to the first

SUM's settings, except that the Configuration option is missing because they are limited to the

first SUM.

Note – The communication between the gateway and SUM takes place on port4433,

whereas the Sophos UTM Manager can be accessed through a browser via the HTTPS pro-

tocol on port4444 for the WebAdmin and on port4422 for the GatewayManager interface.

SUM Heal th

You will be able to see the current connection status and health in the section called SUM

Health. Reloading the page will update thisdata.

SUM Objects

This area is disabled (grayed-out) unless there are objects that have been created via a SUM

and if this SUM isnow disconnected from the Sophos UTM. SUM-created objects can be net-

work definitions, remote host definitions, IPsec VPN tunnels, etc.

The button Cleanup Objects can be pressed to release any objectsthat were created by the

SUM the device hasformerly been managed with. These objects are normally locked and can

only be viewed on the local device. After pressing the button, the objects become fullyaccessible

and can be reused or deleted by a local administrator.

Note – In case former SUM-created objects are cleaned up, they cannot be re-transformed

when reconnecting to that same SUM. This means that if the remote SUM still hosts object

definitions for a device which later re-establishes a connection to it, those objects will be

deployed to the device again—although local copies will then already exist.

L ive Log

You can use the live log to monitor the connection between your Sophos UTM and the SUM.

Click the Open Live Log button to open the live log in a new window.

96 UTM 9 WebAdmin



4.11 Sophos Mobile ControlSophos Mobile Control (SMC) allows you to organize mobile devices like smartphones and tab-

lets (iOS, Android or WindowsPhone). Here you can define compliant devices and users,

secure company's emails on mobile devices using gateway to Exchange ActiveSync and control

which apps are allowed to be installed.

For more information visit the Sophos website: Sophos SMC webpage

In the Sophos UTM you can connect with the SMC to have an overview of the compliant and

non-compliant devices and users, define network access for VPN and wirelessnetworks andpush network configurationsto the SMC server.

4.11.1 General

The Management > Sophos Mobile Control > General tab allows you to define the Sophos

Mobile Control host and specify the customer details and credentials for login into the SMC

Server.

1. Enable the Sopho s Mobile Control:Click the toggle switch.


SMC Server: Add or select the server to host the SMC.

Customer: Enter the customer for the SMC.

Username: Enter the username for the SMC.

Password: Enter the password for the SMC.

Note – You can not create a new customer or define a user or password in the Sophos

UTM. New customers can onlybe created directly in the SMC.

CA Certificate: Select the Official Web CA or a custom Certificate Authority. On the

Site-to-site VPN > Certificate Management > Certificate Authority tab you can add new

Certificate Authorities to the unit.

UTM 9 WebAdmin 97

4 Management 4.11 Sophos Mobile Control

http://www.sophos.com/en-us/products/mobile-control.aspx



4.11 Sophos Mobile Control 4 Management

3. Click Test SMC settings:

The Information window opens.

l Connection test passed:Connecting to the SMC server was successful.

l Connection test failed: Connecting to the SMC server was not successful.

Note – If connecting to the SMC server was not successful, you can look into the

Sophos Mobile ControlLive log to find the problem.

4. Optionally, make the following advanced settings:

Enable debug mode: This option controls how much debug output is generated in the

Sophos Mobile Control log. Select this option if you, for example encounter connectionproblems and need detailed information about the negotiation of client parameters.

5. Click Apply .


Open L ive Log

The Sophos Mobile Control live log logs all activities on the Sophos Mobile Control interface.

Click the Open Live Log button to open the Sophos Mobile Controllive log in a new window.

4.11.2 Compliance Overview

The Management > Sophos Mobile Control> Compliance Overview tab lists all mobile devices

which are connected to the Sophos UTM and provides the following information:

l Non-compliant devices:Shows you the MAC addresses of all non-compliant devices

which will be used for the wirelessnetwork blacklist.

l Compliant devices: Shows you the MAC address from all compliant devices which are

on the wirelessnetwork whitelist.

l Non-compliant users: Shows you all non-compliant user names which are on the VPN

blacklist.

4.11.3 Network Access Control

The Management > Sophos Mobile Control> General tab allows you to specify network access

control for your VPN connections and wireless networks. Non-compliant devices will be blocked

for the defined VPN or wireless networks.

98 UTM 9 WebAdmin



1. Enforce the corresponding VPN or wireless networks

Define the VPN and wireless networks which will be blocked for users if their mobile

devices are non-compliant with your company policies.

l Enforce for L2TP over IPsec: If selected, non-compliant users can not connect

via L2TP over IPsec to the Sophos Mobile Control.

l Enforce for Cisco™ VPN: If selected, non compliant users can not connect via

Cisco™ VPN to the Sophos Mobile Control.

l Also deny access for other VPN protocols: If selected, non compliant users

can not connect via other VPN protocols to the Sophos Mobile Control.

2. Enforce for Wireless Networks.

Select the wireless network(s) which with non-compliant devices can not connect to the

Sophos Mobile Control.

3. Poll compliance status.

Enter the polling interval in minutes (1-60 ). Within this interval the Sophos UTM will poll

the current compliance status from the SMC server.

4. Click Apply .


4.11.4 Configuration Settings

The Management > Sophos Mobile Control > Configuration Settings tab allows you to push the

VPN and wireless network configurationsfrom the WebAdmin to SMC server.

1. Configu ration Settings for Sophos Mobile Control

Define which VPN and wireless network configurationsyou want to push to the SMC

server.

l L2TP over IPsec configuration: If selected, the L2TP over IPsec configuration

will be pushed to the SMC server.

l Cisco™ VPN configu ration: If selected, the Cisco™ VPN configuration will be

pushed to the SMC server.

2. Wireless Networks.

Select the wireless network(s) you want to push to the SMC server.

UTM 9 WebAdmin 99

4 Management 4.11 Sophos Mobile Control



4.12 High Availability 4 Management

3. EAP methods.

Select the EAP method (Extensible Authentication Protocol) you want to use for wireless

network enterprise authentication. EAP is an authentication framework providing for the

transport and usage of keying material and parameters generated by EAP methods.

l PEAP: Protected Extensible Authentication Protocol

l LEAP: Lightweight Extensible Authentication Protocol

l FAST: Flexible Authentication via Secure Tunneling

l TLS: Transport Layer Security

l TTLS: Tunneled Transport Layer Security

4. Click Apply .


Push Configuration

To transfer the current configuration to the SMC server, click the Push Configuration Now but-

ton.

Note – Use this function only in exceptionalcases, for example when the servers were offlineduring transmission. This button is not a necessity for a standard push of the configuration.

4.12 High AvailabilityThe main cause for an Internet security system to fail is because of a hardware failure. The abil-

ity of any system to continue providing services after a failure iscalled failover. Sophos UTM

provides high availability (HA) failover, allowing you to set up a hot standby system in case the

primary system fails (active-passive). Alternatively, you can use Sophos UTM to set up a cluster,

which operates by distributing dedicated network traffic to a collection of nodes (active-active)

similar to conventional load-balancing approaches in order to get optimal resource utilization

and decrease computing time.

The conceptshigh availability and cluster as implemented in Sophos UTM are closely related.

For a high availability system can be considered a two-node cluster, which isthe minimum

requirement to provide redundancy.

Each node within the cluster can assume one of the following roles:

100 UTM 9 WebAdmin



l Master: The primary system in a hot standby/cluster setup. Within a cluster, the master is

responsible for synchronizing and distributing of data.

l Slave: The standby system in a hot standby/cluster setup which takes over operations if

the master fails.

l Worker: A simple cluster node, responsible for data processing only.

All nodes monitor themselves by means of a so-called heart-beat signal, a periodically sent mul-

ticast UDP packet used to check if the other nodes are still alive. If anynode fails to send this

packet due to a technical error, the node will be declared dead . Depending on the role the failed

node had assumed, the configuration of the setup changesas follows:

l If the master node fails, the slave will take its place and the worker node with the highest

ID will become slave.

l If the slave node fails, the worker node with the highest ID will become slave.

l If a worker node fails, you maynotice a performance decrease due to the lost processing

power. However, the failover capability is not impaired.

Reporting

All reporting data is consolidated on the master node and is synchronized to the other cluster nodes at intervals of five minutes. In case of a takeover, you will therefore lose not more than

five minutes of reporting data. However, there isa distinction in the data collection process. The

graphsdisplayed in the Logging & Reporting > Hardware tabs only represent the data of the

node currently being master. On the other hand, accounting information such as shown on the

Logging & Reporting > Network Usage page represents data that was collected by all nodes

involved. For example, today's CPU usage histogram shows the current processor utilization of

the master node. In the case of a takeover, this would then be the data of the slave node.

However, information about top accounting services, for example, isa collection of data from allnodes that were involved in the distributed processing of traffic that haspassed the unit.

Notes

l The Address Resolution Protocol (ARP) is only used by the actual master. That is to say,

slave and worker nodes do not send or reply to ARP requests.

l In case of a failover event, the unit that takes over operationsperforms an ARP

announcement (also known as gratuitous ARP ), which is usuallyan ARP request inten-

UTM 9 WebAdmin 101

4 Management 4.12 High Availability




ded to update the ARP cachesof other hosts which receive the request. Gratuitous ARP

is utilized to announce that the IP of the master was moved to the slave.

l All interfaces configured on the master must have a physical link, that is, the port must be

properly connected to any network device.

4.12.1 Hardware and Software Requirements

The following hardware and software requirementsmust be met to provide HA failover or

cluster functionality:

l Valid license with the high availability option enabled (for the stand-byunit you only need

an additional base license).l Two UTM units with identical software versionsand hardware or two UTM appliances of

the same model.

l Heartbeat-capable Ethernet network cards. Check the HCL to figure out which network

cards are supported. The HCL isavailable at the SophosKnowledgebase (use "HCL" as

search term).

l Ethernet crossover cable (for connecting master and slave in a hot standby system).

UTM appliance models 320, 425, and 525, whose dedicated HA interface is a Gigabit

auto-MDX device, can be connected through a standard IEEE 802.3 Ethernet cable as

the Ethernet port will automatically exchange send/receive pairs.

l Network switch (for connecting cluster nodes).

4.12.2 Status

The Management > High Availability > Status tab lists all devices involved in a hot standby sys-

tem or cluster and provides the following information:

l ID: The device's node ID. In a hot standby system, the node ID is either 1 (master) or 2

(slave).

The node ID in a cluster can range from 1-10, as a cluster can have up to a maximum of

10 nodes.

l Role: Each node within the cluster can assume one of the following roles:

l MASTER: The primary system in a hot standby/cluster setup. It is responsible for

synchronizing and distributing of data within a cluster.

102 UTM 9 WebAdmin





l SLAVE: The standby system in a hot standby/cluster setup which takes over oper-

ations if the master fails.

l WORKER: A simple cluster node, responsible for data processing only.

l Device Name:The name of the device.

l Status: The state of the device concerning its HA status; can be one of the following:

l ACTIVE: The node is fully operational. In case of a hot standby (active-passive)

setup, this isthe status of the active node.

l READY: The node is fully operational. In case of a hot standby (active-passive)

setup, this isthe status of the passive node.

l UNLINKED: One ore more interface links are down.

l UP2DATE: An Up2Date is in progress.

l UP2DATE-FAILED: An Up2Date has failed.

l DEAD: The node is not reachable.

l SYNCING: Data Synchronization isin progress. This status isdisplayed when a

takeover process isgoing on. The initial synchronizing time is at least 5 minutes. It

can, however, be lengthened by all synchronizing-related programs. While a

SLAVE is synchronizing and in state SYNCING, there is no graceful takeover, e.g.

due to link failure on master node.

l Version: Version number of Sophos UTM Software installed on the system.

l Last Status Change: The time when the last status change occurred.

Reboot/Shutdown: With these buttons, a device can be manuallyrebooted or shut down.

Remove Node: Use this button to remove a dead cluster node via WebAdmin. All node-spe-

cific data like mail quarantine and spoolis then taken over by the master.

Click the button Open HA Live Log in the upper right corner to open the high availability live log in

a separate window.

4.12.3 System Status

The Management > High Availability > System Status tab lists all devices involved in a hot

standby system or cluster and provides information about the resource usage of each device:

UTM 9 WebAdmin 103





l The CPU utilization in percent

l The RAM utilization in percent. Please note that the totalmemory displayed is the part

that is usable by the operating system. With 32-bit systems, in some cases that does not

represent the actual size of the physical memory installed, as part of it is reserved for hard-

ware.

l The swap utilization in percent

l The amount of hard disk space consumed by the log partition in percent

l The amount of hard disk space consumed by the root partition in percent

l The statusof the UPS (uninterruptible power supply) module (if available)

4.12.4 Configuration

The high availability functionality of Sophos UTM covers four basicsettings:

l Off

l Automatic Configuration

l Hot Standby (Active-Passive)

l Cluster (Active-Active)

Automatic Configuration: Sophos UTM features a plug-and-play configuration option for

UTM appliances that allows the setup of a hot standby system/cluster without requiring recon-

figuration or manual installation of devices to be added to the cluster. Simply connect the ded-

icated HA interfaces (eth3) of your UTM appliances with one another, select Automatic Con-

figuration for all devices, and you are done.

Note – For Automatic Configurationto work, all UTM appliances must be of the same model.

For example, you can only use two UTM 320 appliances to set up a HA system; one UTM 220

unit on the one hand and one UTM 320 unit on the other hand cannot be combined.

If you connect two UTM appliances through this dedicated interface, all devices will recognize

each other and configure themselves automatically as an HA system—the device with the

longer uptime becoming master. If the unlikely case should occur that the uptime isidentical, the

decision which device is becoming master will be made based on the MAC address.

Using UTM Software, the Automatic Configuration option is to be used on dedicated slave sys-

temsto automatically join a master or already configured hot standby system/cluster. For that

104 UTM 9 WebAdmin



reason, Automatic Configuration can be considered a transition mode rather than a high avail-

ability operation mode in its own right. For the high availability operation mode will change to Hot

Standby or Cluster as soon asa device with Automatic Configuration selected joins a hot

standby system or cluster, respectively. The prerequisite, however, for this feature to work is

that the option Enable AutomaticConfiguration of New Devices isenabled on the master sys-

tem. This function will make sure that those devices will automatically be added to the hot

standby system/cluster whose high availability operation mode is set to Automatic

Configuration.

Hot Standby (active-passive): Sophos UTM features a hot standby high availability concept

consisting of two nodes, which isthe minimum required to provide redundancy. One of the

major improvements introduced in Sophos UTM Software 9 is that the latency for a takeover

could be reduced to less than two seconds. In addition to firewall connection synchronization,

the gateway also provides IPsec tunnel synchronization. This means that road warriors as well

as remote VPN gatewaysdo not need to re-establish IPsec tunnels after the takeover. Also,

objects residing in the quarantine are also synchronized and are still available after a takeover.

Cluster (active-active): (Not available with BasicGuard subscription.) To cope with the rising

demand of processing large volumes of Internet traffic in realtime, Sophos UTM features a clus-

tering functionality that can be employed to distribute processing-intensive tasks such as con-

tent filtering, virus scanning, intrusion prevention, or decryption equally among multiple cluster nodes. Without the need of a dedicated hardware-based load balancer, the overall per-

formance of the gateway can be increased considerably.

Note – When configuring a cluster, make sure you have configured the master node first

before connecting the remaining units to the switch.

Setting up the master, slaves, or workers isprettysimilar. Proceed as follows:

1. Select a high availability operation mode.By default, high availability is turned off. The following modes are available:

l Automatic Configuration

l Hot Standby(active-passive)

l Cluster (active-active)

UTM 9 WebAdmin 105





Note – If you want to change the high availability operation mode, you must always set

the mode back to Off before you can change it to either Automatic Configuration, Hot

Standby , or Cluster .

Note – If the license/subscription has expired or is non-existent, the operation mode

changing is limited to Off and the current operation mode.

Depending on your selection, one or more options will be displayed.


Sync NIC: Select the network interface card through which master and slave systemswill communicate. If link aggregation is active you can select here a link aggregation inter-

face, too.

Note – Onlythose interfaces are displayed that have not been configured yet. It is pos-

sible to change the synchronization interface in a running configuration. Note that after-

wardsallnodes are going to reboot.

The following options can only be configured if you either select Hot Standby or Cluster as operation mode:

Device Name: Enter a descriptive name for this device.

Device Node ID: Select the node ID of the device. In a case of a failure of the primary

system, the node with the highest ID will become master.

Encryption Key: The passphrase with which the communication between master and

slave is encrypted (enter the passphrase twice for verification). Maximum key length is 16

characters.

3. Click Apply .

The high-availability failover isnow active on the device.

The gateway in hot standbymode will be updated at regular intervals over the data transfer con-

nection. Should the active primary system encounter an error, the secondary will immediately

and automatically change to normalmode and take over the primary system’s functions.

Note – When you deactivate a hot standby system/cluster, the slave and worker nodes will

perform a factory reset and shut down.

106 UTM 9 WebAdmin



More information (especially use cases) can be found in the HA/Cluster Guide, which is avail-

able at the Sophos Knowledgebase.

Advanced

Thissection allows you to make some advanced settings.

Enable Automatic Configuration of New Devices: If you have configured a hot standby

system/cluster manually, thisoption will make sure that those devices will automatically be

added to the hot standby system/cluster whose high-availability operation mode isset to Auto-

matic configuration. However, this option is of no effect on slave systems, so you can leave it

enabled, which isthe default setting.

Keep Node(s) Reser ved During Up2Date: If selected, during an update to a new systemversion, half of the HA/Cluster nodes will keep the current system version. When the new ver-

sion is stable, you can update the remaining nodes on the Management > High Availability >

Status page. In case the new version leadsto a failure of all updated nodes, the remaining

nodes will build a new HA/Cluster with the old version. You can then install the old version on the

failed nodes or wait for the next update.

If Keep Node(s) Reserved During Up2Date is enabled, reserved nodes will not be syn-

chronized anymore after an update, because synchronization is restricted to nodes having the

same system version. Instead, the state of the reserved nodes will be preserved. So, if for

whatever reason you decide to reactivate the reserved nodes, configuration changes or report-

ing data coming up in the time span between update start and reactivation will be lost.

Preferred Master: Here you can define a designated master node by selecting a node from

the drop-down list. In case of a failover, the selected node will not stay in Slave mode after the

link recovers but instead will switch back to Master mode.

Backup Interface: To prevent that both master and slave become master at the same time

(master-master situations), for example, because of a failure of the HA synchronization inter-face or an unplugged network cable, a backup heartbeat interface can be selected. This addi-

tional heartbeat interface can be anyof the configured and active Ethernet interfaces. If a

backup interface is selected, an additionalheartbeat signal is sent via this interface in one dir-

ection from the master to the slave to make sure that the master-slave configuration stays

intact. If the master-slave connection is disabled and the backup interface becomes involved,

the administrator will receive a notification informing that one of the cluster nodes is dead.

However, this option isof no effect on slave systems, so you can leave it unconfigured.

UTM 9 WebAdmin 107






4.13 Shutdown and Restart 4 Management

Note – In case of a failure of the HA synchronization interface, no configuration is syn-

chronized anymore. The backup interface only prevents master-master situations.

4.13 Shutdown and RestartOn this tab you can manually shut down or restart Sophos UTM.

Shutdown: This action allows you to shut down the system and to stop all services in a proper

manner. For systemswithout a monitor or LCD display, the end of the shutdown process is

signaled by an endless series of beeps at intervals of one second.

To shut down Sophos UTM, proceed as follows:

1. Click Shutdown (Halt) the System Now .

2. Confirm the warning message.

When asked "Reallyshut down the system?", click OK .

The system isgoing down for halt.

Depending on your hardware and configuration, this process may take several minutes to com-

plete. Only after the system has completely shut down you should turn off the power. If you turn

off the power without the system being shut down properly, the system willcheck the con-

sistency of its file system during the next booting, meaning that the boot-up process will take

much longer than usual. In the worst case, data mayhave been lost.

The system will beep five timesin a row to indicate a successfulsystem start.

Restart: This action will shut down the system completely and reboot. Depending on your hard-

ware and configuration, a complete restart can take several minutes.

To restart Sophos UTM, proceed as follows:

1. Click Restart (Reboot) the System Now .

2. Confirm the warning message.

When asked "Reallyrestart the system?", click OK .

The system isgoing down for halt and reboot.

108 UTM 9 WebAdmin



5 Definitions & UsersThischapter describes how to configure network, service, and time period definitions used

throughout Sophos UTM. The Definitions Overview page in WebAdmin shows the number of

network definitions according to type as well as the numbers of service definitions according to

protocol type.

The pages of the Definitions & Users menu allow you to define networks and services that can

be used in all other configuration menus in one central place. This allows you to work with the

names you define rather than struggling with IP addresses, ports, and network masks. Another

benefit of definitions is that you can group individual networks and services together and con-figure them all at once. If, for example, you assign certain settingsto these groups at a later

time, these settings will apply to all networks and services contained therein.

Additionally, this chapter describes how to configure user accounts, user groups, and external

authentication servers of Sophos UTM as well as authentication for client PCs.


l Network Definitions

l Service Definitions

l Time Period Definitions

l Users & Groups

l Client Authentication

l Authentication Services

5.1 Network DefinitionsThe Definitions & Users > Network Definitions menu letsyou create hosts, networks, and net-

work groups as well as MAC address definitions. The definitions created here can be used in

many other WebAdmin configurations.

5.1.1 Network Definitions

The Definitions & Users > Network Definitions > Network Definitions tab is the central place for defining hosts, networks, and network groups on UTM. The definitionscreated here can be



5.1 Network Definitions 5 Definitions & Users

used on many other WebAdmin configuration menus.

Opening the tab, by default, all network definitionsare displayed. Using the drop-down list on

top of the list, you can choose to display network definitionswith certain properties.

Tip – When you click on the Info icon of a networkdefinition in the Network Definitions list, you

can see all configuration options in which the network definition isused.

The network table also contains static networks, which were automatically created by the sys-

tem and which can neither be edited nor deleted:

l Internal (Address): A definition of this type will be added for each network interface. It

contains the current IP address of the interface. Its name consists of the interface namewith "(Address)" appended to it.

l Internal (Broadcast): A definition of this type will be added for each Ethernet-type net-

work interface. It contains the current IPv4 broadcast address of the interface. Its name

consists of the interface name with "(Broadcast)" appended to it.

l Internal (Network): A definition of this type will be added for each Ethernet-type net-

work interface. It contains the current IPv4 network of the interface. Its name consists of

the interface name with "(Network)" appended to it.

l Any (IPv4/IPv6): A network definition (for IPv4 and IPv6 each, if IPv6 is enabled) bound

to the interface which serves as default gateway. Making use of it in your configuration

should make the configuration process easier. With uplink balancing enabled, the defin-

ition Internet is bound to Uplink Interfaces.

Note – IPv6 entries are only visible if it is activated in Interfaces & Routing > IPv6 .

Note – User network objects authenticated via client authentication will always be shown as

unresolved due to performance reasons.

To create a network definition, proceed as follows:

1. On the Network Definitions tab, click New Network Definition.

The Create New Network Definition dialog box opens.


(Note that further parameters of the network definition will be displayed depending on

the selected definition type.)

110 UTM 9 WebAdmin




Type: Select the network definition type. The following types are available:

l Host: A single IP address. Provide the following information:

l IPv4 Address/IPv6 Address:The IP address of the host (note that you

cannot enter the IP address of a configured interface).

l DHCP Settings(optional): In this section you can create static mappings

between hosts and IP address. For that purpose, you need a configured

DHCP server (see Network Services > DHCP > Servers).

Note – To avoid an IP address clash between regularly assigned

addresses from the DHCP pool and those statically mapped make sure

that the latter are not in the scope of the DHCP pool. For example, a static

mapping of 192.168.0.200 could result in two systems receiving the

same IP address if the DHCP pool is192.168.0.100 – 192.168.0.210.

IPv4 DHCP: Select the IPv4 DHCP server to be used for static mapping.

MAC Addresses: Enter the MAC addresses of the hosts' network inter-

face cards. The MAC addresses are usually specified in a format consisting

of six groupsof two hexadecimal digits, separated by colons or hyphens

(e.g., 00:04:76:16:EA:62).

IPv6 DHCP: Select the IPv6 DHCP server to be used for static mapping.

DHCP Unique IDs: Enter the DUIDs of the hosts. With e.g. Windows oper-

ating systems, the DUID can be found in the Windows Registry:HKEY_

LOCAL_

MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Paramete

rs

Please note that you have to enter the groups of two hexadecimal digits sep-

arated by colons( e.g.,

00:01:00:01:13:30:65:56:00:50:56:b2:07:51 ).

l DNS Settings(optional): If you do not want to set up your own DNSserver

but need static DNS mappings for a few hosts of your network, you can

enter these mappings in this section of the respective hosts. Note that this

only scales for a limited number of hosts and is by no means intended as a

UTM 9 WebAdmin 111

5 Definitions & Users 5.1 Network Definitions




replacement of a fully operable DNS server.

Hostname: Enter the fullyqualified domain name (FQDN) of the host.

Reverse DNS: Select the checkboxto enable the mapping of the host's IPaddress to its name. Note that although several names can map to the

same IP address, one IP address can onlyever map to one name.

Additional Hostnames: Click the Plus icon to add additionalhostnames

for the host.

l DNS Host: A DNS hostname, dynamicallyresolved by the system to produce an

IP address. DNS hosts are useful when working with dynamicIP endpoints. The

system will re-resolve these definitions periodically according to the TTL (Time To

Live) values and update the definition with the new IP address (if any). Provide the

following information:

l Hostname: The hostname you want to resolve.

l DNS Group: Similar to DNS host, but can cope with multiple RRs (Resource

Records) in DNS for a single hostname. It isusefulfor defining firewall rules and

exceptions in transparent proxies.

l Network: A standard IP network, consisting of a network address and a netmask.

Provide the following information:

l IPv4 Add ress/IPv6 Add ress:The network address of the network (note

that you cannot enter the IP address of a configured interface).

l Netmask: The bit mask used to tellhow many bits in an octet(s) identify the

subnetwork, and how many bits provide room for host addresses.

l Range: Select to define a whole IPv4 address range. Provide the following inform-

ation:

l IPv4 From: First IPv4 address of the range.

l IPv4 To: Last IPv4 address of the range.

l IPv6 From: First IPv6 address of the range.

l IPv6 To: Last IPv6 address of the range.

l Multicast Group : A network that comprises a defined multicast network range.

l IPv4 Add ress:The network address of the multicast network, which must

be in the range 224.0.0.0 to 239.255.255.255.

l Netmask: The bit mask used to tellhow many bits in an octet(s) identify the

subnetwork, and how many bits provide room for host addresses.

112 UTM 9 WebAdmin



l Network Group : A container that includes a list of other network definitions. You

can use them to bundle networks and hosts for better readability of your con-

figuration. Once you have selected Network group,the Members box appears

where you can add the group members.

l Availability Group : A group of hosts and/or DNS hosts sorted by priority. Alive

status of all hosts ischecked with ICMP pingsat an interval of 60 seconds, by

default. The host with the highest priority and an alive status is used in con-

figuration. Once you have selected Availability Group, the Members boxappears

where you can add the group members.



The options displayed depend on the selected Type above.

Interface (optional): You can bind the network definition to a certain interface, so that

connections to the definition will only be established via this interface.

Monitoring Type (only with type Availability group): Select the service protocol for the

alive status checks. Select either TCP (TCP connection establishment), UDP (UDP con-

nection establishment), Ping (ICMP Ping), HTTP Host (HTTP requests), or HTTPS

Hosts (HTTPS requests) for monitoring. When using UDP a ping request will be sent ini-tially which, if successful, is followed by a UDP packet with a payload of 0. If ping does not

succeed or the ICMP port is unreachable, the host is regarded as down.

Port (only with monitoring type TCP or UDP ): Number of the port the request will

be sent to.

URL (optional, only with monitoring types HTTP Host or HTTPS Host ):URLtobe

requested. You can use other ports than the default ports 80 or 443 by adding the

port information to the URL, e.g.,

http://example.domain:8080/index.html . If no URL is entered, the root dir-

ectory will be requested.

Interval: Enter a time interval in seconds at which the hosts are checked.

Timeout: Enter a maximum time span in seconds for the hosts to send a

response. If a host does not respond during this time, it will be regarded as dead.

Always Resolved: This option is selected by default, so that if all hosts are unavail-

able, the group will resolve to the host which was last available. Otherwise the

group will be set to unresolved if all hosts are dead.

UTM 9 WebAdmin 113

5 Definitions & Users 5.1 Network Definitions




4. Click Save.

The new definition appears on the network definition list.

To either edit or delete a network definition, click the corresponding buttons.

5.1.2 MAC Address Definitions

The Definitions & Users > Network Definitions > MAC AddressDefinitions tab is the central

place for defining MAC address definitions, i.e., lists of MAC addresses. A MAC address defin-

ition can be used like a network definition. Additionally it can be used to further restrict a rule

based on hosts/IP addresses to onlymatch devices which have one of the defined MAC

addresses.

Tip – When you click on the Info icon of a MAC address definition, you can see all con-

figuration options in which the definition is used.

To create a MAC address definition, proceed as follows:

1. On the MAC Address Definitions tab, click New MAC Address List .

The Create MAC Address List dialog box opens.



MAC Addresses: Click the Plus icon to enter individualMAC addresses subsequently or

use the Action icon to import a list of MAC addresses via copy and paste. The MAC

addresses are usually specified in a format consisting of six groupsof two hexadecimal

digits, separated by colons or hyphens (e.g., 00:04:76:16:EA:62).

Hosts: Add or select the hosts whose MAC addresses you want to add to the MAC

address definition. The MAC addresses defined in the DHCP Settings section of the hostdefinition willbe added to the MAC address list. How to add a definition is explained on

the Definitions & Users > Network Definitions > Network Definitions page.

Note – The number of addresses per address definition islimited for the following

uses: To restrict access to a wireless network, the maximum is 200. To restrict access

to a RED appliance, the maximum is 200 for RED 10 and 400 for RED 50.

Note – You can either enter MAC addresses or hosts or both.

114 UTM 9 WebAdmin




3. Click Save.

The new definition appears on the MAC AddressDefinition list.

To either edit or delete a MAC address definition, click the corresponding buttons.

5.2 Service DefinitionsOn the Definitions & Users > Service Definitions page you can centrallydefine and manage ser-

vices and service groups. Services are definitions of certain types of network traffic and combine

information about a protocol such as TCP or UDP as well as protocol-related optionssuch asport numbers. You can use services to determine the typesof traffic accepted or denied by

UTM.

Tip – When you click on the Info icon of a service definition in the Service Definitions list, you

can see all configuration options in which the service definition is used.

To create a service definition, proceed as follows:

1. On the Service Definitions page, click New Service Definition.

The Create New Service Definition dialog box opens.


(Note that further parameters of the service definition will be displayed depending on the

selected definition type.)


Type of Definition: Select the service type. The following types are available:

l TCP: Transmission ControlProtocol (TCP) connections use port numbers ran-

ging from0 to 65535. Lost packets can be recognized through TCP and be reques-

ted again. In a TCP connection, the receiver notifies the sender when a data

packet was successfully received (connection related protocol). TCP sessions

begin with a three way handshake and connections are closed at the end of the

session. Provide the following information:

l Destination Port:Enter the destination port either as single port number

(e.g., 80) or as a range (e.g., 1024:64000), using a colon as delimiter.

UTM 9 WebAdmin 115

5 Definitions & Users 5.2 Service Definitions



5.2 Service Definitions 5 Definitions & Users

l Source Port: Enter the source port either as single port number (e.g.,80)

or as a range (e.g., 1024:64000), using a colon as delimiter.

l UDP: The User Datagram Protocol (UDP) uses port numbers between0and65535and is a stateless protocol. Because it does not keep state, UDP is faster

than TCP, especially when sending small amounts of data. This statelessness,

however, also means that UDP cannot recognize when packets are lost or

dropped. The receiving computer does not signalthe sender when receiving a

data packet. When you have selected UDP , the same configuration optionscan be

edited as for TCP.

l TCP/UDP: A combination of TCP and UDP appropriate for application protocols

that use both sub protocols such as DNS. When you have selected TCP/UDP ,thesame configuration optionscan be edited as for TCP or UDP.

l ICMP/ICMPv6: The Internet ControlMessage Protocol (ICMP) is chiefly used to

send error messages, indicating, for example, that a requested service isnot avail-

able or that a host or router could not be reached. Once you have opted for ICMP

or ICMPv6 , select the ICMP code/type. Note that IPv4 firewall rules do not work

with ICMPv6 and IPv6 firewall rules do not work with ICMP.

l IP: The Internet Protocol (IP) is a network and transport protocol used for exchan-

ging data over the Internet. Once you have selected IP , provide the number of theprotocol to be encapsulated within IP, for example 121 (representing the SMP pro-

tocol).

l ESP: The Encapsulating Security Payload (ESP) is a part of the IPsec tunneling

protocol suite that provides encryption services for tunneled data via VPN. Once

you have selected ESP or AH, provide the Security Parameters Index (SPI), which

identifies the securityparameters in combination with the IP address. You can

either enter a value between 256 and 4,294,967,296 or keep the default setting

given as the range from 256 to 4,294,967,296 (using a colon as delimiter), espe-

cially when using automatic IPsec key exchange. Note that the numbers 1-255 are

reserved by the Internet Assigned Numbers Authority (IANA).

l AH: The Authentication Header (AH) is a part of the IPsec tunneling protocol suite

and sits between the IP header and datagram payload to maintain information

integrity, but not secrecy.

l Group: A container that includes a list of other service definitions. You can use

them to bundle service definitions for better readability of your configuration. Once

116 UTM 9 WebAdmin



you have selected Group,the Members box opens where you can add group mem-

bers (i.e., other service definitions).


3. Click Save.

The new definition appears on the Service Definitions list.

To either edit or delete a definition, click the corresponding buttons.

Note – The type of definition cannot be changed afterwards. If you want to change the type of

definition, you must delete the service definition and create a new one with the desired set-

tings.

5.3 Time Period DefinitionsOn the Definitions & Users > Time Period Definitions page you can define single or recurring

time slots that can in turn be used to limit for example firewall rules or content filter profile assign-

ments to specifictime ranges.

Tip – When you click on the Info icon of a time period definition in the Time Period Definitions

list, you can see all configuration options in which the time period definition is used.

To create a time period definition, proceed as follows:

1. On the Time Period Definitions tab, click New T ime Period Definition.

The Create New Time Period Definition dialog box opens.


Name: Enter a descriptive name for thistime period definition.

Type: Select the time period definition type. The following types are available:

l Recurring Event: These events will be repeated periodically. You can select the

start time, the end time, and the weekdays on which the time period definition

should be applied. If the time span extends into the next day, the selected week-

days refer to the start time. Start and stop dates cannot be selected for this type.

UTM 9 WebAdmin 117

5 Definitions & Users 5.3 Time Period Definitions



5.4 Users& Groups 5 Definitions & Users

l Single Event: These events will only take place once. You can both select a start

date/time and an end date/time. As these definitionsdo not recur, the option Week-

days cannot be selected for this type.


3. Click Save.

The new time period definition appears on the Time Period Definitions list.

To either edit or delete a time period definition, click the corresponding buttons.

5.4 Users & GroupsThe Definitions & Users > Users & Groups menu letsyou create users and groups for

WebAdmin access as well as for remote access, User Portal access, email usage etc.

5.4.1 Users

On the Definitions& Users > Users & Groups > Users tab you can add user accounts to UTM. In

its factory default configuration, Sophos UTM has one administrator called admin.

Tip – When you click on the Info icon of a user definition in the Users list, you can see all con-

figuration options in which the user definition isused.

When you specify an email address in the New User dialog box, an X.509 certificate for this user

will be generated simultaneouslywhile creating the user definition, using the email address as

the certificate's VPNID. On the other hand, if no email address is specified, a certificate will be

created with the user's Distinguished Name (DN) as VPN ID. That way, if a user is authen-

ticated by means of a backend group such as eDirectory, a certificate will be created even if noemail address is set in the corresponding backend user object.

Because the VPN ID of each certificate must be unique, each user definition must have a dif-

ferent and unique email address. Creating a user definition with an email address already

present in the system will fail. The certificates can be used for variousremote access methods

supported by Sophos UTM with the exception of PPTP, L2TP over IPsec using PSK, and native

IPsec using RSA or PSK.

To add a user account, proceed as follows:

118 UTM 9 WebAdmin



1. On the Users tab, click New User .

The Create New User dialog box opens.

2. Make the following settings:Username: Enter a descriptive name for this user (e.g. jdoe). Note that for using remote

access via PPTP or L2TP over IPsec, the username may only contain ASCII printable

characters1.

Real name: Enter the user's realname (e.g. John Doe).

Email address: Enter the user's primary email address.

Additional email addresses (optional): Enter additionalemail addresses of this user.

Spam emails sent to any of these addresses willbe listed in an individual QuarantineReport for each emailaddress, which is sent to the primaryemail address specified

above.

Authentication: Select the authentication method. The following methods are avail-

able:

l Local: Select to authenticate the user locally on UTM.

l Remote: Select to authenticate the user using one of the external authentication

methods supported by Sophos UTM. For more information, see Definitions &Users > Authentication Services.

l None: Select to prevent the user from authentication completely. This is useful, for

example, to disable a user temporarilywithout the need to delete the user defin-

ition altogether.

Password: Enter a user password (second time for verification). Only available if you

selected Local as authentication method. Note that Basic User Authentication does not

support umlauts. Note that for using remote access via PPTP or L2TP over IPsec, the

password may only contain ASCII printable characters2.

Backend sync: Some basic settings of the user definition such as the realname or the

user's email address can be updated automatically by synchronizing the data with

external backend authentication servers (only available if you selected Remote asauthen-

tication method). Note that the option willautomatically be set according to the Enable

1http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters2http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters

UTM 9 WebAdmin 119

5 Definitions & Users 5.4 Users& Groups

http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters






Backend Sync on Login option on the Authentication Services > Advanced tab, if the user

is selected for prefetching.

Note – Currently, only data with Active Directoryand eDirectory servers can be syn-

chronized.

X.509 certificate: Once the user definition has been created, you can assign an X.509

certificate for thisuser when editing the user definition. By default, this is the certificate

that was automatically generated upon creating the user definition. However, you can

also assign a third-party certificate, which you can upload on the Remote Access > Cer-

tificate Management > Certificates tab.

Use static remote access IP (optional): Select if you want to assign a static IP address

for a user gaining remote accessinstead of assigning a dynamic IP address from an IP

address pool. For IPsec users behind a NAT router, for example, it is mandatory to use a

static remote access IP address.

Note – The static remote access IP can only be used for remote access through PPTP,

L2TP, and IPsec. It cannot be used, however, for remote access through SSL.



Users can create and maintain their own email whitelist and blacklist (see chapter User

Portal). You can view those lists here and, if necessary, modify them.

4. Click Save.

The new user account appears on the Users list.

If you want to make this user a regular administrator having accessto the web-based admin-istrative interface WebAdmin, add the user to the group of SuperAdmins, which isconfigured on

the Definitions& Users > Users & Groups > Groups tab in WebAdmin.

Note – If you have deleted a user object and want to create a user object with the same

name, make sure you have also deleted the certificate associated with this user on the

Remote Access > Certificate Management > Certificates tab. Otherwise you willget an error

message stating that an item with that name already exists.

120 UTM 9 WebAdmin



You can download remote access certificatesand/or configurations of users for whom some

sort of remote access hasbeen enabled. For that, select the checkbox in front of the respective

users and select the desired option from the Actions drop-down list in the list header. Remote

access users can also download those files themselves when they are allowed to use the User

Portal.

5.4.2 Groups

On the Definitions & Users > Users & Groups> Groupspage you can add user groups to UTM.

In its factory default configuration, Sophos UTM has one user group called SuperAdmins.Ifyou

want to assign administrative privilegesto users, that is, granting accessto WebAdmin, add

them to the group of SuperAdmins; this group should not be deleted.

Tip – When you click on a group definition in the Groups list, you can see all configuration

options in which the group definition isused.

To add a user group, proceed as follows:

1. On the Groups tab, click New Group.

The Create New Group dialog box opens.


Group name: Enter a descriptive name for this group. Note that this name does not

need to correspond to the names of your backend groups.

Group type: Select the type of the group. You can choose between a group of static

members and two group types promoting dynamic membership.

l Static members: Select the local users who shall become member of this group.

l IPsec X509 DN mask: Users are dynamically added to an IPsec X509 DN group

definition if they have successfully logged in to the gateway through an IPsec con-

nection and if specific parameters of their distinguished names match the values

specified in the DN Mask box.

l Backend membership: Users are dynamically added to a group definition if they

have been successfullyauthenticated by one of the supported authentication

mechanisms. To proceed, select the appropriate backend authentication type:

l Active Directory: An Active Directory user group of UTM provides group

memberships to members of Active Directory server user groupscon-

figured on a Windows network. For more information, see Definitions &

UTM 9 WebAdmin 121

5 Definitions & Users 5.4 Users& Groups




Users > Authentication Services > Servers.

l eDirectory: An eDirectory user group of UTM provides group mem-

berships to members of eDirectory user groups configured on an eDir-ectory network. For more information, see Definitions & Users >

Authentication Services > Servers.

l RADIUS: Users are automatically added to a RADIUS backend group

when theyhave been successfullyauthenticated using the RADIUS authen-

tication method.

l TACACS+: Users are automatically added to a TACACS+ backend group

when they have been successfully authenticated using the TACACS+

authentication method.

l LDAP: Users are automatically added to an LDAP backend group when

they have been successfully authenticated using the LDAP authentication

method.

Limit to backend group (s) membership (optional; only with backend groups

Active Directory or eDirectory ): For all X.500-based directory services you can

restrict the membership to various groups present on your backend server if you

do not want all users of the selected backend server to be included in this group

definition. The group(s) you enter here once selected this option must match a

Common Name as configured on your backend server. Note that if you select this

option for an Active Directory backend, you can omit theCN=prefix. If you select

this option for an eDirectory backend, you can use the eDirectory browser that lets

you conveniently select the eDirectory groupsthat should be included in this group

definition. However, if you do not use the eDirectory browser, make sure to include

the CN=prefix when entering eDirectory containers.

Check an LDAP attribute (optional; only with backend group LDAP ):Ifyoudonot want all users of the selected backend LDAP server to be included in this group

definition, you can select this checkbox to restrict the membership to those users

matching a certain LDAP attribute present on your backend server. Thisattribute

is then used as an LDAP search filter. For example, you could enter

groupMembership as attribute withCN=Sales,O=Example as its value. That way

you could include all users belonging to the sales department of your company into

the group definition.


122 UTM 9 WebAdmin



3. Click Save.

The new user group appearson the Groups list.

To either edit or delete a group, click the corresponding buttons.

5.5 Client AuthenticationSophos provides an authentication client for Windows and Mac OS so that users directlyauthen-

ticate at the UTM. This gives you user-based control on web surfing and network traffic by, for

example, creating firewall rules based on user networks or group networks. Additionally,

wherever possible, IP addresses, hostnames, and the like are replaced by usernames to

provide a better readability of reporting data and objects.

Note – In WebAdmin, user network objects authenticated via client authentication will always

be shown as unresolved due to performance reasons.

Users who want or should use Client Authentication need to install the Sophos Authentication

Agent (SAA) on their client PC or Mac OS computer. The SAA can be downloaded either via

this WebAdmin page or via the User Portal. Note that onlyusers who are within the user group

of the Client Authentication configuration will find a download link on their User Portal page.

To configure Client Authentication, do the following:

1. On the Client Authentication tab, enable Client Authentication.


The toggle switch turns green and the Client Authentication Options area becomes edit-

able.

2. Select the allowed networks. Add or select the networks that should use Client Authentication. Note that those net-

works need to be directly connected to the UTM for Client Authentication to work. How to

add a definition is explained on the Definitions& Users > Network Definitions > Network

Definitions page.

3. Select the allowed users and groups.

Select single users or groups or add new users into the Allowed Users and Groups box.

Thiscan be also your already existing authentication group, e.g. an Active Directory user

group. How to add a user is explained on the Definitions& Users > Users & Groups >Users page.

UTM 9 WebAdmin 123

5 Definitions & Users 5.5 Client Authentication



5.6 Authentication Services 5 Definitions & Users

4. Click Apply .


Client Authentication is now available for the selected networks.

Cl ient Authent icat ion Program

When Client Authentication is enabled, you can download the Sophos Authentication Agent

(SAA) here. You can either distribute the SAA manuallyor have your users download the client

from the User Portal.

Download EXE: Downloads the Client Authentication program including the CA certificate for

direct installation on client PCs. This is the same file as can be downloaded from the User Portal.

Download MSI: Downloads the Client Authentication MSI package. This package isdesigned

for automatic package installation via domain controller (DC) and does not contain the CA cer-

tificate.

Download DMG: Downloadsthe Client Authentication Mac OS X disk image. This image is

designed for installation on client computers having an OS X operating system.

Download CA: Downloads the CA certificate that has to be rolled out in addition to the

MSI package.

The SAA can be used as authentication mode for the Web Filter. For more information see

chapter Web Protection > Web Filtering > Global .

5.6 Authentication ServicesOn the Definitions & Users > Authentication Services page databases and backend servers of

external user authentication services like Single Sign-On or One-time Passwordcan be man-

aged. Externaluser authentication allows you to validate user accounts against existing user

databases or directory services on other servers of your network. Authentication services cur-

rently supported are:

l Novell's eDirectory

l Microsoft's Active Directory

l RADIUS

l TACACS+

l LDAP

124 UTM 9 WebAdmin



5.6.1 Global Settings

The Definitions & Users > Authentication Services > GlobalSettings tab lets you configure basic

authentication options. The following options are available:

Create users automatically: When this option is selected, Sophos UTM will automatically cre-

ate a user object whenever an unknown user of a configured backend group successfully

authenticates against one of the various authentication services supported by Sophos UTM.

For example, if you configure a RADIUS backend group and you add this group as a member to

one of the roles defined on the Management > WebAdmin Settings > Access Control tab,

Sophos UTM will automatically create a user definition for a RADIUS user who has successfullylogged in to WebAdmin.

l Automatic User Creation for Facilities: Automatic user creation can be enabled or

disabled for specificservices. Users are only created for enabled services. This option is

not available—and automatic user creation is disabled for all facilities—when the Create

users automatically option is not selected.

Note – This feature does not work for Active DirectorySingle Sign-On (SSO).

Those user objects are also needed to grant access to the User Portal of Sophos UTM. In addi-

tion, for all user objects created automatically an X.509 certificate will be generated. Note, how-

ever, that automatic user creation will fail in case of an email address conflict, for the user defin-

ition to be created automaticallymust not have configured an emailaddress that is already

present on the system. All email addresses must be unique within the system because they are

used as identifiers for X.509 certificates.

Important Note – Authentication (i.e., the action of determining who a user is) and author-

ization (i.e., the action of determining what a user is allowed to do) for a user whose user

object was created automatically are always done on the remote backend server/directory ser-

vice. Therefore, automatically created user objects in Sophos UTM are useless if the cor-

responding backend server is not available or if the user object has been deleted on the

remote site.

Note also that except for Active Directory Single Sign-On (SSO) SophosUTM caches user

authentication data it has retrieved from a remote authentication server for 300 seconds. For

UTM 9 WebAdmin 125

5 Definitions & Users 5.6 Authentication Services




this reason, changes made to the remote user settings willonly take effect after the cache has

expired.

Authent icat ion Cache

Every time Sophos UTM gets a user request, e.g.,http, from a yet unknown user and authen-

tication is required, the Sophos User Authentication (SUA) writes an entry to the authentication

cache. Over time, in environments with frequently changing users it can be reasonable to empty

the cache from time to time. Also, if you want to force an immediate new authentication for all

users. Use the button Flush Authentication Cache to empty the authentication cache.

An authentication is valid for 300 seconds. During this time, other authentication requests by the

same user are looked up directly in the cache. This technique takes load off backend authen-

tication services like eDirectory.

Note – Flushing the cache does not affect users that are remotely logged on.

L ive Log

Open Live Log: Click the button to see the log of the Sophos User Authentication (SUA) in a

new window.

5.6.2 Servers

On the Definitions & Users > Authentication Services > Servers tab, you can create one or more

authentication servers. Follow the links to create them:

l eDirectory

l Active Directory

l LDAP

l RADIUS

l TACACS+

5.6.2.1 eDirectory

Novell eDirectory is an X.500 compatible directory service for centrally managing access to

resources on multiple servers and computers within a given network. eDirectory is a hier-

archical, object-oriented database that representsall the assets in an organization in a logical

tree. Those assets can include people, servers, workstations, applications, printers, services,groups, and so on.

126 UTM 9 WebAdmin



To configure eDirectory authentication, proceed as follows:

1. On the Servers tab, click New Au thentication Server .

The dialog box Create New Authentication Server opens.


Backend: Select eDirectory as backend directory service.

Position: Select a position for the backend server. Backend servers with lower numbers

will be queried first. For better performance, make sure that the backend server that is

likely to get the most requestsis on top of the list.

Server: Select or add an eDirectoryserver. How to add a definition is explained on the

Definitions & Users > Network Definitions > Network Definitions page.

SSL: Select thisoption to enable SSL data transfer. The Port will then change from389

(LDAP) to 636 (ldaps = LDAP over SSL).

Port: Enter the port of the eDirectory server. By default, this is port389.

Bind DN: The Distinguished Name (DN) of the user to bind to the server with. This user

is needed if anonymous queries to the eDirectoryserver are not allowed. Note that the

user must have sufficient privileges to obtain all relevant user object information from the

eDirectory server in order to authenticate users. eDirectory users, groups, and con-

tainers can be specified by the full distinguished name in LDAP notation, using commas

as delimiters (e.g.,CN=administrator,DC=intranet,DC=example,DC=com ).

Password: Enter the password of the bind user.

Test server settings: Pressing the Test button performsa bind test with the configured

server. This verifies that the settingson this tab are correct, and the server is up and

accepts connections.

Base DN: The starting point relative to the root of the LDAP tree where the usersare

included who are to be authenticated. Note that the base DN must be specified by the full

distinguished name (FDN) in LDAP notation, using commas as delimiters (e.g.,

O=Example,OU=RnD). Base DN may be empty. In this case, the base DN is automatically

retrieved from the directory.

Username: Enter the username of a test user to perform a regular authentication.

Password: Enter the password of the test user.

UTM 9 WebAdmin 127





Authent icate example user: Click the Test button to start the authentication test for

the test user. This verifies that all server settings are correct, the server is up and accept-

ing connections, and users can be successfullyauthenticated.

3. Click Save.

The server will be displayed in the Servers list.

Figure 17 Groups: eDirectory Browser of Sophos UTM

5.6.2.2 Active Directory

Active Directory (AD) is Microsoft's implementation of a directory service and is a central com-ponent of Windows 2000/2003 servers. It stores information about a broad range of resources

residing on a network, including users, groups, computers, printers, applications, services, and

any type of user-defined objects. As such it provides a means of centrallyorganizing, managing,

and controlling access to these resources.

The Active Directory authentication method allows you to register Sophos UTM at a Windows

domain, thus creating an object for Sophos UTM on the primary domain controller (DC). UTM

is then able to query user and group information from the domain.

Note – UTM supports Active Directory2003 and newer.

128 UTM 9 WebAdmin



To configure Active Directory authentication, proceed as follows:




Backend: Select Active Directory as backend directory service.




Server: Select or add an Active Directory server. How to add a definition is explained on


SSL: Select thisoption to enable SSL data transfer. The Port will then change from389


Port: Enter the port of the Active Directoryserver. By default, this isport 389.

Bind DN: The fullDistinguished Name (DN) of the user to bind to the server in LDAP

notation. Thisuser is needed if anonymous queries to the Active Directory server are not

allowed. The bind user must have sufficient privileges to obtain all relevant user object

information from the Active Directory server in order to authenticate users; a require-

ment usually met by the administrator of the domain.

Each DN consists of one or more Relative Distinguished Names (RDN) constructed from

some attributes of the Active Directory user object and includes its username, the node

where it resides, and the top-level DN of the server, all specified in LDAP notation and

separated by commas.

l The username must be the name of the user who is able to access the directory

and is to be specified bytheCNdesignator (e.g., CN=user). While using a popular

account with domain permissions, such as "admin" ispossible, it ishighly recom-mended for best practices that the user not have admin rights, as it is sufficient for

them to have read permission on all objects of the subtree starting at the given

base DN.

l The information of the node where the user object residesmust include all sub-

nodes between the root node and the user object and is usually comprised of so-

called organizational units and common name components. Organizational units

(indicated by the combined folder/book icon in the Microsoft Management Con-

sole) are to be specified by theOUdesignator. Note that the order of the nodes is

UTM 9 WebAdmin 129





from the lowest to the highest node, that is, the more specific elements come first

(e.g., OU=Management_US,OU=Management). On the other hand, default Active

Directory containers (indicated by a simple Folder icon) such as the pre-defined

Users node are to be specified using theCNdesignator (e.g., CN=Users).

l The top-level DN of the server can consist of severaldomain components, each

specified by theDCdesignator. Note that the domain componentsare given in the

same order as the domain name (for example, if the domain name is

example.com, the DN part would beDC=example,DC=com).

An example bind user DN for a user named administrator whose object is stored in

the Userscontainer in a domain calledexample.comwould look like this:

CN=administrator,CN=Users,DC=example,DC=com

Figure 18 Authentication: Microsoft Management Console

Now, suppose you create an organizationalunit called Management with the subnode

Management_US and move the administrator user object into it, the DN of the admin-

istrator would change to:CN=administrator,OU=Management_

US,OU=Management,

DC=example,

DC=com


Test server settings: Pressing the Test button performs a bind test with the configured



Base DN: The starting point relative to the root of the LDAPtree where the usersare


distinguished name (FDN) in LDAP notation, using commas as delimiters (e.g.,

130 UTM 9 WebAdmin



O=Example,OU=RnD). Base DN may be empty. In this case, the base DN is automatically




Authenticate example user: Click the Test button to start the authentication test for

the test user. This verifies that all server settingsare correct, the server is up and accept-

ing connections, and users can be successfully authenticated.

3. Click Save.


User Princ ipa l Name

Sometimes users should be required to use the User Principal Name notation 'user@domain'

when entering their credentials, for example when using Exchange servers in combination with

Active Directory servers.

l Clone a desired server to start a new server

l Change Backend to LDAP

l Change User Attribute to >

l Enter userPrincipalname into Custom field.

If not present already, this will set up a 'LDAP Users' group which you will have to use instead of

the 'Active Directory Users' group.

Note – The formatdomain\user is not supported. Use the formatuser@domain instead.

5.6.2.3 LDAPLDAP, an abbreviation for Lightweight Directory Access Protocol , isa networking protocol for

querying and modifying directoryservices based on the X.500 standard. Sophos UTM uses the

LDAP protocol to authenticate users for several of its services, allowing or denying access

based on attributes or group memberships configured on the LDAP server.

To configure LDAP authentication, proceed as follows:



UTM 9 WebAdmin 131






Backend: Select LDAP as backend directory service.

Position: Select a position for the backend server. Backend servers with lower numberswillbe queried first. For better performance, make sure that the backend server that is

likely to get the most requests is on top of the list.

Server: Select or add an LDAP server. How to add a definition is explained on the Defin-

itions & Users > Network Definitions > Network Definitions page.

SSL: Select this option to enable SSL data transfer. The Port will then change from389


Port: Enter the port of the LDAP server. By default, thisis port389.

Bind DN: The Distinguished Name (DN) of the user to bind to the server with. This user

ismandatory. For securityreasons, anonymous queries to the LDAP server are not sup-

ported. Note that the user must have sufficient privilegesto obtain all relevant user object

information from the LDAP server in order to authenticate users. LDAP users, groups,

and containers can be specified by the full distinguished name in LDAP notation, using

commas as delimiters (e.g.,

CN=administrator,DC=intranet,DC=example,DC=com ).





User attribute: Select the user attribute that is to be used as the filter for searching the

LDAP directory. The user attribute contains the actual login name each user is prompted

for, for example by remote accessservices. The following user attributes can be selec-

ted:

l CN (Common Name)

l SN (Surname)

l UID (User ID)

If usernamesin your LDAP directory are not stored in any of these forms, select <<Cus-

tom>> from the list and enter your custom attribute into the Custom field below. Note that

this attribute must be configured on your LDAP directory.

132 UTM 9 WebAdmin



Base DN: The starting point relative to the root of the LDAP tree where the usersare


distinguished name (FDN) in LDAP notation, using commas as delimiters (e.g.,O=Example,OU=RnD). Base DN may be empty. In this case, the base DN is automatically




Authenticate example user: Click the Test button to start the authentication test for

the test user. This verifies that all server settingsare correct, the server is up and accept-

ing connections, and users can be successfully authenticated.

3. Click Save.


5.6.2.4 RADIUS

RADIUS, the acronym of Remote Authentication Dial In User Service isa widespread protocol

for allowing network devices such as routers to authenticate users against a central database.

In addition to user information, RADIUS can store technical information used by network

devices, such as supported protocols, IP addresses, routing information, and so on. Thisinform-

ation constitutes a user profile, which isstored in a file or database on the RADIUS server.

The RADIUS protocol is very flexible, and servers are available for most operating systems.

The RADIUS implementation on UTM allows you to configure access rights on the basis of prox-

ies and users. Before you can use RADIUS authentication, you must have a running RADIUS

server on the network. Whereas passwords are encrypted using the RADIUS secret, the user-

name istransmitted in plain text.

To configure RADIUS authentication, proceed as follows:




Backend: Select RADIUS as backend directory service.




UTM 9 WebAdmin 133





Server: Select or add a RADIUS server. How to add a definition is explained on the Defin-

itions & Users > Network Definitions > Network Definitions page.

Port: Enter the port of the RADIUS server. By default, thisis port 1812.

Shared Secret: The shared secret is a text string that serves as a password between a

RADIUS client and a RADIUS server. Enter the shared secret.






NAS identifier: Select the appropriate NAS identifier from the list. For more information

see the Note and the table below.




3. Click Save.


Note – Each user authentication service of Sophos UTM such as PPTP or L2TPquerying the

RADIUS server sends a different identifier (NAS identifier) to the RADIUS server. For

example, the PPTP service sends the NAS identifier pptp to the RADIUS server when trying

to authenticate thisuser.That way, the variousservices can be differentiated on the RADIUS

server, which is usefulfor authorization purposes, that is, the granting of specific types of ser-

vice to a user. Below you can find the list of user authentication services and their cor-

responding NAS identifier.

User Authentication Service NAS Identifier

SSL VPN ssl

PPTP pptp

IPsec ipsec

134 UTM 9 WebAdmin



User Authentication Service NAS Identifier

L2TP over IPsec l2tp

SMTP proxy smtp

User Portal portal

WebAdmin webadmin

SOCKS proxy socks

Web Filter http

Authentication Client agent

Wir eless Access Points NAS I D is t he wireless n etwork n ame.

Table 1: RADIUS NAS Identifiers

5.6.2.5 TACACS+

TACACS+ (the acronym of Terminal Access Controller Access Control System) is a proprietaryprotocol by Cisco Systems, Inc. and provides detailed accounting information and admin-

istrative control over authentication and authorization processes. Whereas RADIUS combines

authentication and authorization in a user profile, TACACS+ separates these operations.

Another difference is that TACACS+ utilizes the TCP protocol (port 49) while RADIUS uses the

UDP protocol.

To configure TACACS+ authentication, proceed as follows:




Backend: Select TACACS+ as backend directory service.




UTM 9 WebAdmin 135





Server: Select or add a TACACS+ server. How to add a definition is explained on the


Port: Enter the port of the TACACS+ server. By default, this is port49.

Key: Enter the authentication and encryption key for all TACACS+ communication

between Sophos UTM and the TACACS+ server. The value for the key to be entered

here should match the one configured on the TACACS+ server. Enter the key (second

time for verification).









3. Click Save.


5.6.3 Single Sign-On

On the Definitions & Users > Authentication Services > Single Sign-On tab you can configure

single sign-on functionality for Active Directory and/or eDirectory.

Acti ve D irectory S ingle Sign-On SSO)

Note that the Active Directory SSO facility is currently only used with the Web Filter to providesingle sign-on with browsers that support NTLMv2 or Kerberos authentication.

To activate the single sign-on functionality, UTM must join the Active Directory domain. In order

for the domain joining to work, the following prerequisites must be met:

l The time zone on the gateway and the domain controller (DC) must be the same.

l There MUST NOT be a time difference of more than five minutes between the gateway

clock and the DC clock.

l The UTM hostname must exist in the ADDNS system.

136 UTM 9 WebAdmin



l UTM must use the AD DNS as forwarder, or must have a DNS request route for the AD

domain which pointsto the AD DNS server.

Note – Active Directory Group Membership Synchronization uses the Single Sign-On (SSO)

password to communicate with the AD server. If this password is changed, the new password

needs to be entered and the UTM re-joined, for the UTM to sync with the server again.

To configure Active Directory SSO, do the following:

1. Create an Active Directory server on the Servers tab.


Domain: Name of the domain (for example intranet.mycompany.com).UTMsearches all DCs retrievable via DNS.

Admin username: User with administrative privileges who isallowed to add computers

to that domain (usually"Administrator").

Password: The password of the admin user.

3. Click Apply .


Note on Kerberos authentication support: In order for opportunisticSSO Kerberos sup-

port to work, the clients MUST use the FQDN hostname of UTM in their proxy settings—using

the IP address will not work. NTLMv2 mode is not affected by this requirement, and will auto-

maticallybe used if it is not met, or if the browser does not support Kerberos authentication.

eDirectory S ingle S ign-On SSO)

Here, you can configure SSO for eDirectory. If you have configured eDirectory SSO as authen-

tication method in Web Protection > Web Filtering , the eDirectory server selected here will beused.

To configure eDirectory SSO, do the following:

1. Create an eDirectory server on the Servers tab.


Server: eDirectory server for which you want to enable SSO.

Sync interval: Time (in seconds) between two synchronization eventsbetween UTM

and eDirectory server.

UTM 9 WebAdmin 137





3. Click Apply .


5.6.4 One-time Password

On the Definitions & Users > Authentication Services > One-time Password tab you can con-

figure the one-time password (OTP) service, and you can monitor or edit the tokens of the one-

time password users. One-time passwords are a method to improve security for password-

based authentication. The user-specificpassword, which issometimes too weak, will be

amended with a one-time password that isvalid for only one login. Thus, even if an attacker gets

hold of it, he will not be able to log in with it.

One-time passwords generally change consistently, in regular intervals, being calculated auto-

matically by a specificalgorithm. Soon after a new password is calculated, the old password

expires automatically. To calculate one-time passwords, the user needsto have either a mobile

device with an appropriate software, or a special hardware or security token. Hardware tokens

are ready to use from the start. On the mobile device, the end user needs to install Google

Authenticator or a similar software and deploy the configuration, which is available in the User

Portal asa QR code, on the start page or on the OTP Token page (see User Portal page). Hav-

ing done that, the device calculates one-time passwords in token-specificintervals. It is import-

ant that date and time are correct on the mobile device as the time stamp is used for one-time

password generation.

Note – To authenticate on the facilities where the one-time password is required, the user

has to enter his user-specific UTM password, directly followed by the one-time password.

The administrator can also generate one-time passwords, also known as passcodes, manually.

In this case, you have to ensure that these not time-limited one-time passwords are safely trans-

mitted to the end user. This process, however, should only be considered as a temporary solu-

tion, for example when a user temporarily has no accessto his or her password calculating

device.

Note – Once an OTP token is created an information icon appears on the right side for each

token. You can view the QR code and its details by clicking on the information icon.

Enabling and Configuring One-time Password ServiceTo configure the one-time password service, do the following:

138 UTM 9 WebAdmin



1. In the OTP Settings section, make the following settings:

All u sers must use one-time passwords: By default, this checkbox is enabled and all

users have to use one-time passwords. If only specific users should use one-time pass-

words, disable the checkbox and select or add users or groups to the box.

Caution – If you disabled the function all Users must use one-time passwords, this

automatically affects the User/Groups in other partsof the UTM. For example, Reverse

Authentication.

Note – The option Create users automatically must be activated for users with

backend authentication. You can find the option under Definitions & Users > Authentic-ation Services > GlobalSettings > Automaticuser creation.

Auto-create OTP tokens for users: If selected, a QR code for configuring the mobile

device software will be presented to the authorized users the next time they log in to the

User Portal. For this to work, make sure that the users have accessto the User Portal

(see Management > User Portal pages). When a user logsin to the User Portal, the

respective token will appear in the OTP Tokens list. Enabling this feature is recom-

mended when you are using soft tokenson mobile devices. If your users only use hard-

ware tokens you should instead disable the checkbox and add or import the tokens

before enabling the OTP feature.

Enable OTP for facilities: Here you select the UTM facilities that should be accessed

with one-time passwords by the selected users. When you select the Auto-create

OTP tokens for users checkbox, the User Portal needs to be enabled for securityreas-

ons: As the User Portal gives access to the OTP tokens, it should have no weaker pro-

tection itself. To activate OTP for secure shell access, you have to additionally enable

shell access usage for the respective tokens (see Adding or Editing OTP Tokens Manu-ally). The corresponding usersthen have to log in as loginuser with the loginuser pass-

word, appended by the one-time password.

Caution – Especially when selecting WebAdmin or Shell Access for OTP usage, you

have to ensure that the selected users have access to the one-time password tokens.

Otherwise you maylog them out permanently.

2. In the Timestep Settings section, make the following settings:

UTM 9 WebAdmin 139





Default token timestep: To synchronize one-time password generation on the mobile

device and on the UTM, the timestep has to be identical on both sides. Some hardware

tokens use 60 seconds. Other software OTP tokens use a timestep of 30 seconds whichis the default value here. If the timestep does not match, authentication fails. The value

entered here is used automatically for each new OTP token. The allowed range for the

timestep is10-120.

Maximum p asscode offset: With help of this option you can set the maximum

passcode offset steps. This means if you for example set 3 steps you restrict the clock of a

token to drift no more than 3 timesteps between two logins. The maximum passcode off-

set requires a range of 0-10.

Maximum initial passcode offset: With help of this option you can set the maximum

initial passcode offset steps. This means if you for example set 10 steps you restrict the

clock of a token to drift no more than 10 timesteps between two logins. The maximum ini-

tial passcode offset requires a range of 0-600.

3. Click Apply .


4. If you use hardware tokens, import or add them into t he OTP Tokens section.

Click the Import icon on the top right of the list. Select the Method CSV Import . Thenpaste the CSV separated data into the text boxand clickSave.

PSKC Upload: OTP tokens which are using OATH-TOTP standard are mostly

delivered in a file which contains serial numbers and secrets using PSKC format. For

encrypted files the decryption key is being supplied by out-of-band (paper-based).

Click the Import icon on the top right of the list. Select the Method PSKC Upload . Select

the requested file and click Start Upload . If the file is encrypted, enter the Decryption Key

and click Save.

CSV Import: Use the data received from the hardware token vendor to generate a CSV

file, using semicolons, in UTF-8 encoding. The file has to contain three columns with the

following content: secret, timestep, and comment. The secret, a unique, device-specific

string, is mandatory, and should have a hexadecimalformat and a length of minimum

128 bit. The other columns may be empty. If timestep is empty, the default token timestep

defined in the OTP Settings section is used.

140 UTM 9 WebAdmin



After the import/upload you can modify the entries using the Edit icon. Additionally, you

can always add single entries by clicking the Plus icon (see Adding or Editing OTP Tokens

Manually).

5. Enable the one-time password service.

Click the toggle switch on top of the page. The toggle switch turns green.

If Auto-create OTP tokens for users is enabled, as soon as one of the users specified for one-

time password authentication logs in to the User Portalfor the first time, the UTM auto-creates

the OTP token entry if it was not generated up front. Additionally, the Reset icon of the entryis

enabled.

Using the toggle switch of an entry you can disable it, for example in case the user lost his hard-

ware token. Using the appropriate icon, you can delete an entry, for example if a hardware

token is broken. Be aware that in both cases, if the Auto-create OTP tokens for users option is

enabled, the user can still re-authenticate because he hasaccess to the token secret. In the

OTP Tokens list, a new entry will be displayed.

On the top right of the OTP Tokens list, a search boxand navigation icons are available to nav-

igate through and to filter the list.

Icons

In the OTP Tokens area are some additional functional icons.

Functional

icons

Meaning

Sets the token to a 'never-used' state, the so-called initial state. If the reset

was performed the user will see the QR code again when logging in to the

User Portal. The reset function is available if the user logged in with

OTP at least one time.

Shows that the token is configured to be used for remote shell access.

Shows that the token information will not be displayed in the User Portal.

Shows additional token codes.

Allows you to show the token time-offsets.

Shows the QR code of the token and its information.

UTM 9 WebAdmin 141





Adding or Editing OTP Tokens Manually

You can add or edit OTP tokens.

Tip – Usually you would not add single OTP tokensbut either import them—in case of hard-

ware tokens—or, using mobile devices, automatically generate them, using the Auto-create

OTP tokens for users option.

1. Open the dialog to add or edit the OTP token.

To add an OTP token, click the green Plus icon on the top right of the OTP Tokens list.

To edit an OTP token, clickthe Edit icon in front of the respective entry in the OTP Tokens

list.


User: Select or add the user to whom the token should be assigned.

Secret: This is the shared secret of the user's hardware token or soft token. A hardware

token has an unchangeable secret, given by the hardware producer. The soft token is

created randomly by the UTM, when Auto-create OTP tokens for users is enabled. The

secret should have a hexadecimalformat and a length of 128 bit.

Comment (optional): Add a description or other information. Thistext will be displayed

with the QR code in the User Portal. If you define different tokens for one person, e.g., a

hardware token and a soft token for the mobile phone, it is useful to enter some explan-

ation here as the user will be displayed all QR codes side by side.


Use custom token timestep: If you need another timestep for a token than the default

token timestep defined in the OTP Settings section, enable this checkbox and enter the

value. The timestep defined here hasto correspond with the timestep of the user's pass-

word generation device, otherwise authentication fails.

Hide token information in User Portal: If enabled, the token will not be displayed in

the User Portal. This can be useful for hardware tokens, where no configuration is

needed, or for example when the soft tokens should not be configured by the end-user,

but centrally, by the administrator.

Token can be used for shell access: If enabled, the token can be used for com-

mand-line access to the UTM. For this to work, shell access has to be enabled in the

142 UTM 9 WebAdmin



OTP Settings section, and shell access with password authentication has to be enabled

for the UTM in general(see Management > System Settings > ShellAccess).

OTP tokens with permission for shell access have a Command Shell icon on the right. For one-time password shell access, the user then has to log in as loginuser with the

loginuser password, appended by the one-time password.

Additional codes (only when editing an OTP token): You can add one-time passwords

manuallyfor a token. Either clickthe green Plus icon to enter one one-time password at a

time, or use the Generate button to generate 10 one-time passwords at once. You can

also import or export the one-time passwords using the Action icon. These one-time pass-

words are not time-limited. A one-time password will be deleted automatically when the

user logged in with it. OTP tokens with additionalone-time passwords have a Plus icon onthe right. Hovering the cursor on it shows the list of one-time passwords.

4. Click Save.


Synchronizing OTP Token Time

When hardware OTP tokens, their build-in quartzclocksmight run slower or faster than 'real

world' clocks. VASCO token specification for example allows a time-drift of about 2 seconds

each day. After some month, the time drift of the hardware token might be so big, that the OTP

code on the token will not match the UTM'scalculated OTP anymore and also be so high that it

does not match the default accepted OTP windows of +/- one token code. So the OTP code will

be denied by the UTM.

Each time a user logs on to UTM using a valid hardware token code the UTM calculates

whether the token code ismore than one time-step value away or not. If yes, the UTM changes

the token-specific time drift value automatically.

With UTM you can calculate the time-offset and synchronize it. Proceed as follows:

1. In the OTP Tokens area click on the stopwatch icon.

The check OTP token time-offset dialog opens. The current offset for this token isdis-

played.

2. Enter the Token Passcode.

The token passcode isa six digit number created by the hardware device.

UTM 9 WebAdmin 143





3. Click Check .

The result will be displayed after a few seconds. If the passcode was vaild the message

says if and how many timesteps the token is off.

4. If you want to set the offset for the token, click OK .

The token time-offset isupdated.

5. Click Cancel .

The dialog closes.

5.6.5 Advanced

Block Password Guess ing

Thisfunction can be used to prevent password guessing. After a configurable number of failed

login attempts (default: 3), the IP address trying to gain access to one of the facilities willbe

blocked for a configurable amount of time (default: 600 seconds).

Drop packets from blocked hosts: If enabled, all packets coming from blocked hosts will be

dropped for the specified time. This option servesto avoid DoS attacks.

Facilities: The check will be performed for the selected facilities.

Never block networks: Networks listed in this boxare exempt from this check.

Local Authent icat ion Passwords

Using this option, you can force the use of strong passwords for administrators or locally

registered users having administrative privileges. You can configure password complexity to

adhere to the following securityrequirements:

l Minimum password length, default iseight characters

l Require at least one lowercase character

l Require at least one uppercase character

l Require at least one numeral

l Require at least one non-alphanumeric character

To enable the selected password properties select the Require complex passwords checkbox

and click Apply .

Act ive Directory Group Membership Synchronizat ion

Use this option to enable background syncing of AD group membership information.

144 UTM 9 WebAdmin



The UTM can periodically synchronize group membership information and cache it locally to

reduce traffic to the Active Directory server. When this option is enabled, group membership

information will be synchronized with the configured Active Directory Single Sign-On server.

Click Synchronize Now to immediately synchronize group membership information.

Prefetch Directory Users

Users from eDirectory or Active Directory can be synchronized with UTM. Thiswill pre-create

user objects on UTM such that these user objects already exist, when the user logs in. The syn-

chronization process can run weeklyor daily.

To enable prefetching, make the following settings:

Server: The drop-down list contains servers that have been created on the Servers tab. Select

a server for which you want to enable prefetching.

Prefetch interval: Select an interval to prefetch users. To run the synchronization weekly,

select the dayof the week when synchronization should start. To run the synchronization daily,

select Daily .

Prefetch time: Select a time to prefetch users.

Groups: To specify which groups should be pre-created, enter the groups here. You can use

the integrated LDAP browser to select these groups.

Enable Backend Sync on Login (optional): With every prefetch event, the Backend sync

option of the involved users (Users& Groups > Users tab) will be set to the value defined here. If

the option is enabled, the users' Backend sync option will be enabled, if the option is disabled,

the users' Backend sync option will be disabled.


Prefetch Now: Click this button to start prefetching immediately.

Open Prefetch Live Log: Click this button to open the prefetch live log.

UTM 9 WebAdmin 145






6 Interfaces & RoutingThischapter describes how to configure interfaces and network-specificsettings in Sophos

UTM. The Network Statistics page in WebAdmin providesan overview of today's top ten

accounting services, top source hosts, and concurrent connections. Each of the sections con-

tains a Details link. Clicking the link redirects you to the respective reporting section of

WebAdmin, where you can find more statistical information.


l Interfaces

l Bridging

l Quality of Service (QoS)

l Uplink Monitoring

l IPv6

l Static Routing

l Dynamic Routing (OSPF)

l Border Gateway Protocol

l Multicast Routing (PIM-SM)

6.1 Interfaces A gateway requires at least two network interface cards to connect an internal LAN to an

external one (e.g., the Internet) in a secure fashion. In the following examples, the network card

eth0 is always the interface connected to the internal network. Network card eth1 is the inter-

face connected to the externalnetwork (for example, to the Internet). These interfaces are also

called the trusted and untrusted interfaces, respectively.

Network cards are automatically recognized during the installation. With the Software Appli-

ance, if new network cards are added later, a new installation will be necessary. To reinstall the

system, simply make a backup of your configuration, install the software, and restore your

backup.

The gateway must be the only point of contact between internal and external networks. All datamust passthrough UTM. We strongly recommend against connecting both internaland



6.1 Interfaces 6 Interfaces & Routing

external interfaces to one hub or switch, except if the switch is configured as a VLAN switch.

There might be wrong ARP resolutions(AddressResolution Protocol), also known as "ARP

clash", which cannot be administered by all operating systems (for example, such as those from

Microsoft). Therefore, one physical network segment has to be used for each gateway network

interface.

The Interfaces menu allows you to configure and manage all network cards installed on UTM

and also all interfaces with the external network (Internet) and interfaces to the internal net-

works (LAN, DMZ).

Note – While planning your network topologyand configuring UTM, take care to note which

interface isconnected to which network. In most configurations, the network interface with

SysID eth1 is chosen as the connection to the external network. In order to install the high

availability (HA) failover, the selected network cards on both systems must have the same

SysID. Installing the HA failover isdescribed in more detailon page Management > High Avail-

ability .

The following sections explain how to manage and configure different interface typeson the

tabs Interfaces, Additional Addresses, LinkAggregation, Uplink Balancing , Multipath Rules,and

Hardware.

6.1.1 Interfaces

On the Interfaces tab you can configure network cards and virtualinterfaces. The list shows the

already defined interfaces with their symbolic name, hardware device, and current addresses.

The interface statusis also displayed. By clicking the toggle switch, you can activate and deac-

tivate interfaces. Please note that interface groups do not have a toggle switch.

Tip – When you click the Info icon of an interface definition in the Interfaces list, you can see all

configuration options in which the interface definition is used.

Newly added interfaces may show up as Down while they are in the process of being set up.

You can select to edit and delete interfaces by clicking the respective buttons.

6.1.1.1 Automatic Interface Network Definitions

Each interface on your UTM has a symbolic name and a hardware device assigned to it. Thesymbolicname is used when you reference an interface in other configuration settings. For

148 UTM 9 WebAdmin



each interface, a matching set of network definitions is automatically created by UTM:

l A definition containing the current IP address of the interface, its name consisting of the

interface name and the (Address) suffix.l A definition containing the network attached to the interface, its name consisting of the

interface name and the (Network) suffix. Thisdefinition is not created for Point-to-Point

(PPP) type interfaces.

l A definition containing the broadcast address of the interface, its name consisting of the

interface name and the (Broadcast) suffix. This definition isnot created for Point-to-Point

(PPP) type interfaces.

When the interface uses a dynamicaddress allocation scheme (such as DHCP or remote

assignment), these definitions are automatically updated. All settings referring to these defin-

itions, for example firewall and NAT rules, will also automatically be updated with the changed

addresses.

One interface with the symbolic name Internal is already predefined. It is the management inter-

face and willtypically be used as the "internal" UTM interface. If you want to rename it, you

should do so right after the installation.

6.1.1.2 Interface TypesThe following list shows which interface typescan be added to UTM, and what type of hardware

is needed to support them:

Group: You can organize your interfaces in groups. In appropriate configurations, you can

then select a single interface group instead of multiple interfaces individually.

3G/UMTS: This is an interface based on a USB modem stick. The stick needs to be plugged in

and UTM needs to be rebooted before interface creation.

DSL (PPPoA/PPTP): PPP over ATM. A DSL PPPoA device letsyou attach your gateway to

PPP-over-ATM compatible DSL lines. These devices use the PPTP protocol to tunnel IP pack-

ets. They require a dedicated Ethernet connection (they cannot co-exist with other interfaces

on the same hardware). You must attach a DSL modem to the interfaces network segment.

The network parameters for these device types can be assigned by the remote station (typ-

ically, your ISP). In addition, you need to enter username and password for your ISP account.

You also need to enter the IP address of your modem. This address is usuallyhardwired in the

modem and cannot be changed. To communicate with the modem, you have to enter a NIC IP

address and netmask. The modem's IP address must be inside the network defined by theseparameters. The Ping Address must be a host on the other side of the PPTP link that responds

UTM 9 WebAdmin 149

6 Interfaces & Routing 6.1 Interfaces




to ICMP ping requests. You can tryto use the DNS server of your ISP. If this address cannot be

pinged, the connection is assumed to be dead, and will be reinitiated.

DSL (PPPoE): PPP over Ethernet. A DSL PPPoE device lets you attach your gateway to PPP-over-Ethernet compatible DSL lines. These devices require a dedicated Ethernet connection

(they cannot co-exist with other interfaces on the same hardware). You must attach a DSL

modem to the interfaces network segment. The network parameters for these device typescan

be assigned by the remote station (typically, your ISP). In addition, you need to enter username

and password for your ISP account.

Ethernet DHCP: This is a standard Ethernet interface with DHCP.

Ethernet Static: This is a normal Ethernet interface, with 10, 100, or 1000 Mbit/sbandwidth.

Ethernet VLAN: VLAN (Virtual LAN) is a method to have multiple layer-2 separated network

segments on a single hardware interface. Every segment is identified by a "tag", which is just an

integer number. When you add a VLAN interface, you will create a "hardware" device that can

be used to add additional interfaces (aliases), too. PPPoE and PPPoA devices cannot be run

over VLAN virtual hardware.

Modem (PPP): This type of interface lets you connect UTM to the Internet through a PPP

modem. For the configuration you need a serial interface and an external modem on the UTM.

And you also need the DSL access data including username and password. You will get thesedata from your (ISP).

About Flexible Slots

Certain typesof Sophos hardware appliances allow to easily change interface hardware by

providing so-called slots where slot modules can be inserted and switched flexibly. If such hard-

ware is being used, WebAdmin displays the slot information along with the hardware interfaces.

This looks for example like eth1 [A6] Intel Corporation 82576 Gigabit Network Connection,

where the slot information is provided in the square brackets, A6 being the 6th port in slot A. Cur-rently, up to three slots are possible, labeled A-C with up to eight ports each. Onboard interface

cards will be labeled [MGMT1] and [MGMT2] .

Slot information isprovided in the following places of WebAdmin:

l Interfaces & Routing > Interfaces > Interfaces

l Interfaces & Routing > Interfaces > Hardware

l Throughout WebAdmin inHardware drop-down lists and lists where hardware interface

information is displayed

150 UTM 9 WebAdmin



For up-to-date information on which appliance types come with flexible slots, please refer to the

Sophos UTM webpage.

6.1.1.3 Group

You can combine two or more interfaces to a group. Groups can ease your configuration tasks.

When creating multipath rules, you need to configure a group if you want to balance traffic over

a defined group of uplink interfaces only instead of using all uplink interfaces.

To configure a Group interface, proceed as follows:

1.

On the Interfaces tab, click New Interface.

The Create New Interface dialog box opens.


Name: Enter a descriptive name for the interface.

Type: Select Group from the drop-down list.

Interfaces: Add the interfaces to be grouped.


3. Click Save.

The group is added to the interface list. Groups do not have a status.

To show only interfaces of a certain type, select the type of the interfaces you want to have dis-

played from the drop-down list. To either edit or delete an interface, click the corresponding but-

tons.

6.1.1.4 3G/UMTS

Sophos UTM supportsnetwork connections via 3G/UMTS USB sticks.

To configure a 3G/UMTS interface, proceed as follows:

1.





Type: Select 3G/UMTS from the drop-down list.

UTM 9 WebAdmin 151






Hardware: Select a USB modem stick from the drop-down list. Note that you need to

reboot after you plugged the USB stick in.

Network: Select the mobile network type, which is either GSM/W-CDMA, CDMA, or

LTE .

IPv4/IPv6 default GW (optional): Select this option if you want to use the default gate-

way of your provider.

PIN (optional): Enter the PIN of the SIM card if a PIN is configured.

APN Autoselect: (optional): By default, the APN (Access Point Name) used isretrieved

from the USB modem stick. If you unselect the checkbox, enter APN information into the

APN field.

Username/Password (optional): If required, enter a username and password for the

mobile network.

Dial String (optional): If your provider uses a different dial string, enter it here. Default is

*99#.



Init String: Enter the string to initialize the USB modem stick. Remember that it might

become necessary to adjust the init string to the USB modem stick. In this case, the init

string can be gathered from the associated USB modem stick manual. If you do not have

the required documentation available, keep the default setting ATZ .

Reset String: Enter the reset string for the USB modem stick. Keep in mind that it might

be necessary to adjust the reset string to the USB modem stick. In this case you can

gather it from the associated USB modem stick manual. If you do not have the required

documentation available, keep the default setting ATZ .

MTU: Enter the maximum transmission unit for the interface in bytes. You must enter a

value fitting your interface type here if you want to use traffic management. A sensible

value for the interface type is entered by default. Changing this setting should only be

done by technically adept users. Entering wrong values here can render the interface

unusable. An MTU size greater than 1500 bytes must be supported by the network oper-

ator and the network card (e.g., Gigabit interface).By default, an MTU of 1500 bytes is

set for the 3G/UMTS interface type.

152 UTM 9 WebAdmin



Asymmetric (optional): Select this option if your connection's uplink and downlink band-

width are not identical and you want the Dashboard to reflect this. Then, two textboxes

are displayed, allowing you to enter the maximum uplink bandwidth in either MB/s or KB/s. Select the appropriate unit from the drop-down list.

Displayed Max (optional): Here you can enter the maximum downlink bandwidth of

your connection, if you want the Dashboard to reflect it. The bandwidth can be given in

either MB/s or KB/s. Select the appropriate unit from the drop-down list.

4. Click Save.

The system will now check the settings for validity. After a successful check the new inter-

face will appear in the interface list. The interface is not yet enabled (toggle switch is

gray).

5. Enable the interface.

Click the toggle switch to activate the interface.

The interface is now enabled (toggle switch is green). The interface might still be dis-

played as being Down. The system requiresa short time to configure and load the set-

tings. Once the Up message appears, the interface is fully operable.



tons.

6.1.1.5 Ethernet Static

To configure a network card for a static Ethernet connection to an internal or externalnetwork,

you must configure the network card with an IP address and netmask.

To configure a static Ethernet interface, proceed as follows:

1.





Type: Select Ethernet Static from the drop-down list.

Hardware: Select an interface from the drop-down list.

UTM 9 WebAdmin 153





Tip – For an external connection (e.g., to the Internet) choose the network card with

SysID eth1. Please note that one networkcard cannot be used asboth an Ethernet

Static interface and a PPP over Ethernet (PPPoE DSL) or PPTP over Ethernet

(PPPoA DSL) connection simultaneously.

IPv4/IPv6 address: Enter the IP address of the interface.

Netmask: Select a network mask (IPv4) and/or enter an IPv6 network mask.

IPv4/IPv6 default GW (optional): Select this option if you want to use a statically defined

default gateway.

Default GW IP (optional): Enter the IP address of the default gateway.

Note – You can configure an interface to have an IPv4 and an IPv6 address sim-

ultaneously.



MTU: Enter the maximum transmission unit for the interface in bytes. You must enter avalue fitting your interface type here if you want to use traffic management. A sensible




ator and the network card (e.g., Gigabit interface).By default, an MTU of 1500 bytes is

set for the Ethernet Static interface type.

Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP func-

tion is disabled (Off).This option isavailable on broadcast-type interfaces. When youswitch it on, UTM will "attract" traffic on that interface for hosts "behind" it and pass it on. It

willdo that for all hosts that it has a direct interface route for. This allows you to build

"transparent" network bridging while still doing firewalling. Another use for this feature is

when your ISP's router just puts your "official" network on its Ethernet interface (does not

use a host route).



154 UTM 9 WebAdmin



are displayed, allowing you to enter the maximum uplink bandwidth in either MB/s or

KB/s. Select the appropriate unit from the drop-down list.




4. Click Save.



gray).








tons.

6.1.1.6 Ethernet VLAN

In order to connect UTM to the virtual LANs, the system requires a network card with a tag-cap-

able driver. A tag is a 4-byte header attached to packets as part of the Ethernet header. The tag

contains the number of the VLAN that the packet should be sent to: the VLAN number is a 12-bit

number, allowing up to 4095 virtual LANs. In WebAdmin this number is referred to as the VLAN

tag .

Note – Sophos maintains a list of supported tag-capable network interface cards. The Hard-

ware Compatibility List (HCL) is available at theSophos Knowledgebase. Use "HCL" as

search term to locate the corresponding page.

To configure an Ethernet VLAN interface, proceed as follows:

1.



UTM 9 WebAdmin 155









Type: Select Ethernet VLAN from the drop-down list.


VLAN Tag: Enter the VLAN tag to use for this interface.

IPv4/IPv6 address: Enter the IP address of the interface.

Netmask: Select a network mask (IPv4) and/or enter an IPv6 network mask.

IPv4/IPv6 default GW (optional): Select this option if you want to use a statically defined

default gateway.

Default GW IP (optional): Enter the IP address of the default gateway.


ultaneously.








ator and the network card (e.g., Gigabit interface). Bydefault, an MTU of 1500 bytesis

set for the Ethernet VLAN interface type.

Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP func-tion is disabled (Off).This option isavailable on broadcast-type interfaces. When you

switch it on, UTM will "attract" traffic on that interface for hosts "behind" it and pass it on. It

willdo that for all hosts that it has a direct interface route for. This allows you to build

"transparent" network bridging while still doing firewalling. Another use for this feature is

when your ISP's router just puts your "official" network on its Ethernet interface (does not

use a host route).



156 UTM 9 WebAdmin








4. Click Save.



gray).








tons.

6.1.1.7 Ethernet DHCP

To configure an Ethernet DHCP interface, proceed as follows:

1.





Type: Select Ethernet DHCP from the drop-down list.


Tip – For an external connection (e.g., to the Internet) choose the network card with

SysIDeth1. Please note that one network card cannot be used as both a Ethernet

DHCP and a PPP over Ethernet (PPPoE-DSL) or PPTP over Ethernet (PPPoA-DSL)

connection simultaneously.

UTM 9 WebAdmin 157









Hostname: If your ISP requires to receive the hostname of your system, enter it here.







set for the Ethernet DHCP interface type.

Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP func-

tion is disabled (Off).

This option is available on broadcast-type interfaces. When you switch it on, UTM will

"attract" traffic on that interface for hosts "behind" it and pass it on. It will do that for all

hosts that it has a direct interface route for. This allows you to build "transparent" network

bridging while still doing firewalling. Another use for this feature is when your ISP's router

just puts your "official" network on its Ethernet interface (does not use a host route).






your connection, if you want the Dashboard to reflect it. The bandwidth can be given ineither MB/s or KB/s. Select the appropriate unit from the drop-down list.

4. Click Save.



gray).



158 UTM 9 WebAdmin








tons.

6.1.1.8 DSL (PPPoE)

The configuration will require the DSL connection information, including username and pass-

word, provided by your ISP. VDSL is also supported by this interface type.

Note – Once the DSL connection is activated, the UTM will be connected to your ISP 24 hours

a day. You should therefore ensure that your ISP bills on a flat-rate or bandwidth-based sys-

tem rather than based on connection time.

To configure a DSL (PPPoE) interface, proceed as follows:

1.


The Create New Interface dialog box opens.2. Make the following settings:


Type: Select DSL (PPPoE) from the drop-down list.


VDSL: Select this checkbox if and only if your connection isa VDSL connection. The

MTU changes to1476.

Static PPPoE IP (optional): Select the checkbox if you have a static IP address assigned

by your ISP, and enter the IP address and corresponding netmask into the appearing

textboxes.

l IPv4/IPv6 Add ress:Enter the IP address of the interface.

l Netmask: Select a netmask from the drop-down list and/or enter an IPv6 net-

mask.

UTM 9 WebAdmin 159






ultaneously.

IPv4/IPv6 Default GW (optional): Select this option if you want to use the default gate-


Username: Enter the username, provided by your ISP.

Password: Enter the password, provided by your ISP.


3. Optionally, make the following advanced settings:MTU: Enter the maximum transmission unit for the interface in bytes. You must enter a






set for the DSL (PPPoE) interface type.

VLAN tag (only if VDSL isenabled): Enter the VLAN tag to be added to the PPPoE pack-ets. For the correct tag, refer to your VDSL provider. Default is 7, which is currently used

for the PPPoE connection of the Deutsche Telekom.

Daily reconnect: Define at what time you want the connection to close and reopen. You

can select either Never or pick a specific time.

Reconnect delay: Here you can change the reconnect delay. By default, it isset to 5

Seconds. If your ISP demands a longer delay you can set it to One Minute or Fifteen

Minutes.








160 UTM 9 WebAdmin



Multilink: If enabled, you can bundle multiple PPP connections. A multilink

PPP connection only works if your ISP supports Multilink PPP.

Multilink slaves: Select the interfaces you want to bundle with the hardware selected

above to one multilink.

4. Click Save.



gray).








tons.

6.1.1.9 DSL (PPPoA/PPTP)

To configure a connection using the PPP over ATM Protocol (PPPoA), you will need an unused

Ethernet interface on the UTM aswell as an external ADSL modem with an Ethernet port. The

connection to the Internet proceeds through two separate connections. Between the UTM and

the ADSL modem, a connection using the PPTP over Ethernet Protocol is established. The

ADSL modem is, in turn, connected to the ISP using the PPP over ATM Dialing Protocol .

The configuration will require the DSL connection information, including username and pass-

word, provided by your Internet Service Provider (ISP).

Note – Once the DSL connection is activated, the UTM will be connected to your ISP 24 hours

a day. You should therefore ensure that your ISP bills on a flat-rate or bandwidth-based sys-

tem rather than based on connection time.

To configure a DSL (PPPoA/PPTP) interface, proceed as follows:

1.



UTM 9 WebAdmin 161







Type: Select DSL (PPPoA/PPTP) from the drop-down list.








Modem IP: Enter the IP address of your ADSL modem here. This address will usually be

provided by your ISP or the modem hardware and cannot be changed. Example:

10.0.0.138 (with AonSpeed).

NIC address: Enter the IP address of the networkcard on the UTM which is attached to

the modem here. This address must be in the same subnet as the modem. Example:

10.0.0.140 (with AonSpeed).

NIC netmask: Enter the network mask to use here. Example: 255.255.255.0 (with

AonSpeed).

Ping address (optional): Enter the IP address of a host on the Internet that responds to

ICMP ping requests. In order to test the connection between the UTM and the external

network, you have to enter an IP address of a host on the other side of the PPTP link. You

can tryto use the DNS server of your ISP. The UTM will send ping requeststo this host: if

no answer is received, the connection will be broken.







set for the DSL (PPPoA) interface type.

162 UTM 9 WebAdmin



Daily reconnect: Define at what time you want the connection to close and reopen. You

can select either Never or picka specifictime.

Reconnect delay: Here you can change the reconnect delay. By default, it is set to 5

Seconds. If your ISP demands a longer delay you can set it to One Minute or Fifteen

Minutes.





Displayed Max (optional): Here you can enter the maximum downlink bandwidth of your connection, if you want the Dashboard to reflect it. The bandwidth can be given in


4. Click Save.



gray).








tons.

6.1.1.10 Modem (PPP)

For the configuration you need a serial interface and an external PPP modem on the UTM. And

you also need the DSL access data including username and password. You will get these data

from your Internet Service Provider (ISP).

To configure a Modem (PPP) interface, proceed as follows:

1.



UTM 9 WebAdmin 163







Type: Select Modem (PPP) from the drop-down list.






Dial String: Enter the phone number. Example:5551230



Line Speed: Set the speed in bits per seconds for the connection between the UTM and

the modem. Common values are 57,600 Bits/s and 115,200 Bits/s.

Flow Control: Select the method to control the data flow.

If the data is transferred via the serial connection it might happen that the system cannot

process incoming data fast enough. To ensure that no data is lost, this method of con-

trolling the data flow becomes necessary. With the serialconnection two methods are

available:

l Hardwaresignals

l Software signals

Since in a PPP connection all eight bits are used for the data transfer line and the trans-

ferred data contains the bytesof the command signsControl S and ControlQ, we recom-

mend keeping the default setting Hardware and using a serialconnection cable.

Init String: Enter the string to initialize the modem. Remember that it might become

necessary to adjust the init string to the modem. In this case, the init string can be

gathered from the associated modem manual. If you do not have the required doc-

umentation available, keep the default setting ATZ .

Reset String: Enter the reset string for the modem. Keep in mind that it might be neces-

saryto adjust the reset string to the modem. In this case you can gather it from the asso-

164 UTM 9 WebAdmin



ciated modem manual. If you do not have the required documentation available, keep the

default setting ATZ .





unusable. An MTU size greater than 1500 bytesmust be supported by the network oper-

ator and the network card (e.g., Gigabit interface).By default, an MTU of 1492 bytesis

set for the Modem (PPP) interface type.








4. Click Save.

The system will now check the settings for validity. After a successful check the new inter-face will appear in the interface list. The interface is not yet enabled (toggle switch is

gray).








tons.

6.1.2 Additional Addresses

One network card can be configured with additional IP addresses (also called aliases). This func-

tion allows you to manage multiple logical networks on one physical network card. It can also be

used to assign further addresses to a UTM running NAT (Network AddressTranslation).

UTM 9 WebAdmin 165





To configure additionaladdresses on standard Ethernet interfaces, proceed as follows:

1. On the Additional Addresses tab, click New Additional Address.

The Create New Additional Addressdialog box opens.


Name: Enter a descriptive name for the new additional address.

On Interface: Select an interface from the drop-down list to which the address isto be

assigned.

IPv4/IPv6 Address: Enter the additional IP address of the interface.

Netmask: Select a netmask from the drop-down list and/or enter an IPv6 netmask.


ultaneously.


3. Click Save.



gray).

4. Enable the additional address.

Click the toggle switch to activate the additionaladdress.

The additional address is now enabled (toggle switch is green). The additional address

might still be displayed as being Down. The system requiresa short time to configure and

load the settings. Once the Up message appears, the additional address is fullyoperable.

To either edit or delete an additionaladdress, click the corresponding buttons.

6.1.3 Link Aggregation

Link aggregation, which is also known as "port trunking" or "NIC bonding", allows you to aggreg-

ate multiple Ethernet network ports into one virtual interface. The aggregated ports appear as a

single IP address to your system. Link aggregation is usefulto increase the link speed beyond

the speed of any one single NIC or to provide basic failover and fault tolerance by redundancy in

the event anyport or switch fails. All traffic that was being routed over the failed port or switch is

automatically re-routed to use one of the remaining ports or switches. This failover is completelytransparent to the system using the connection.

166 UTM 9 WebAdmin



Note – In a high-availability environment, Ethernet connections can even be on different HA

units.

You can define up to four different link aggregation groups. A group can consist of one or mul-

tiple interfaces.

To create a link aggregation group (LAG), proceed as follows:

1. For each LAG, select the interfaces you want to add.

A group can consist of a configured interface and/or one or more unconfigured inter-

faces.

To use a configured interface, select it from the Convert Interface drop-down list. To use

unconfigured interfaces, select the respective checkbox(es).

2. Enable the LAG.

Activate a group by clicking the button Enable this group.

Once the link aggregation group hasbeen configured, a new LAG interface (e.g.,lag0)

becomes available for selection if you are going to create an interface definition on the

Interfaces tab. On top of the bonding interface you can create one of the following:

l Ethernet Static

l Ethernet VLAN

l Ethernet DHCP

l Alias interfaces

To disable a LAG, clear the checkboxes of the interfaces that make up the LAG, clickUpdate this

Group, and confirm the warning message. The status of the LAG interface is shown on the Sup-

port > Advanced > Interfaces Table tab.

6.1.4 Uplink Balancing

With the uplink balancing function you can combine more than one Internet uplink, either for hav-

ing backup uplinks available or for using load balancing among multiple uplinks. Combining up to

32 different uplinks is supported. Note that with BasicGuard subscription, only two uplinks can

be combined.

Uplink balancing is automatically enabled when you assign a default gateway to an interface inaddition to an already existing interface with a default gateway. All interfaces possessing a

UTM 9 WebAdmin 167





default gateway willbe added to the Active interfaces box and uplink balancing automatically

organizes the balancing between those interfaces from then on. Any other interface with a

default gateway will automatically be added, too.

On the Multipath Rules tab you can define specific rules for the traffic to be balanced.

To manually set up uplink balancing, proceed as follows:

1. Enable uplink balancing.


The toggle switch turns amber and the Uplink Balancing area becomes editable.

2. Select active interfaces.

Add one or more interfaces by clicking the Folder icon and dragging interfaces from theobject list. With multiple interfaces, traffic coming from clients isbalanced by source, i.e.,

all traffic coming from one source uses the same interface, whereas traffic from another

source can be sent to another interface. If one of the interfaces is unavailable, traffic will

be taken over by the remaining interface(s).

Note – Initially, when uplink balancing has been enabled automatically, the Active inter-

faces list already contains all interfaces having a default gateway. If you remove an inter-

face from the list, the Default gateway checkbox of the interface will automatically beunselected. Thus, every interface having a default gateway has to be either on this list

or on the Standby interfaces boxbelow. However, you can add interfaces without

default gateway and enter the default gateway address later on.

Note – The sequence of the interfaces is important: In configurations where only one

interface can be used, and for packetssent from the UTM itself, by default the first avail-

able active interface is used. You can change the interface sequence by clicking the

Sort iconsin the box.

Using the Edit Scheduler icon on the box header, you can set individual balancing beha-

vior and interface persistence of the active interfaces:

Weight: Weight can be set from 0 to 100 and specifies how much traffic is processed by

an interface relative to all other interfaces. A weighted round robin algorithm isused for

this, a higher value meaning that more traffic is routed to the respective interface. The val-

ues are evaluated relative to each other so they need not add up to 100. Instead, you can

have a configuration for example, where interface 1 hasvalue 100, interface 2 hasvalue

168 UTM 9 WebAdmin



50 and interface 3 has value 0. Here, interface 2 getsonly half the traffic of interface 1,

whereas interface 3 only comes into action when none of the other interfaces is available.

A value of zero means that always another interface with a higher value is chosen if avail-able.

Persistence: Interface persistence is a technique which ensures that traffic having spe-

cific attributes is always routed over the same uplink interface. Persistence has a default

timeout of one hour.

3. Select standby interfaces(optional).

Here, you can optionally add failover interfaces that should only come into action if all act-

ive interfaces become unavailable. In this case, the first available standby interface in the

given order will be used. You can change the interface sequence by clicking the Sort

icons in the box.

4. Change monitoring settings (optional).

By default, Automatic monitoring is enabled to detect possible interface failures. This

means that the health of all uplink interfaces is monitored by having them contact a spe-

cific host on the Internet at an interval of 15 seconds. By default, the monitoring host is the

third ping-allowing hop on the route to one of the root DNS servers. However, you can

define the hosts for monitoring the server poolyourself. For these hosts you can select

another service instead of ping, and modify the monitoring interval and timeout.

If the monitoring hosts do not send a response anymore, the respective interface is

regarded as dead and not used anymore for distribution. On the Dashboard, in the Link

column of the interface, Error will be displayed.

Note – Automatically, the same monitoring settings are used for both uplink monitoring

(Uplink Monitoring > Advanced ) and uplink balancing (Interfaces > Uplink Balancing ).

5. Click Apply .


A new virtual network interface named Uplink Interfaces is automatically created and now avail-

able for use by other functionsof the Sophos UTM, e.g. IPsec rules. The virtual network inter-

face Uplink Interfaces comprises all uplink interfaces added to the interface list.

Additionally, a new network group named Uplink Primary Addresses is automatically created

and now available for use by other functions of the Sophos UTM, e.g. firewall rules. It refers to

the primary addresses of all Uplink Interfaces.

UTM 9 WebAdmin 169





In case of an interface failure, open VPN tunnels can be automatically re-established over the

next available interface provided DynDNS isused or the remote server accepts the IP

addresses of all uplink interfaces. As a prerequisite, the IPsec rule must use the Uplink Inter-

faces as Local interface.

Defining Monitoring Hosts

To define hosts for monitoring the server pool yourself, proceed as follows:

1. Unselect the Au tomatic monitoring checkbox.

The Monitoring hosts box becomes editable.

2. Add monitoring hosts.

Select or add one or more hosts that you want to use for monitoring instead of random

hosts. If an interface is monitored by more than one host, it will only be regarded asdead

if all monitoring hostsdo not respond in the defined time span. How to add a definition is


Note – If a selected host is bound to an interface, it will only be used to monitor this inter-

face. If a host is not bound to an interface, it will be used to monitor all interfaces. Inter-

faces not covered by the selected hosts will be monitored by automatic monitoring.

Click the Monitoring Settings icon in the box header to set the monitoring details:

Monitoring type: Select the service protocol for the monitor checks. Select either TCP

(TCP connection establishment), UDP (UDP connection establishment), Ping (ICMP

Ping), HTTP Host (HTTP requests), or HTTPS Host (HTTPS requests) for monitoring.

When using UDP a ping request will be sent initially which, if successful, is followed by a

UDP packet with a payload of 0. If ping does not succeed or the ICMP port is unreach-

able, the connection is regarded as down.

Port (only with monitoring types TCP and UDP ): Port number the request will be sent to.

URL (optional, only with monitoring types HTTP/S Host ): URL to be requested. You can

use other ports than the default ports 80 or 443 by adding the port information to the

URL, e.g.,http://example.domain:8080/index.html . If no URL is entered, the

root directory will be requested.


170 UTM 9 WebAdmin



Timeout: Enter a maximum time span in seconds for the monitoring hosts to send a

response. If all monitoring hosts of an interface do not respond during this time, the inter-

face will be regarded as dead.

3. Click Apply .


6.1.5 Multipath Rules

On the Interfaces & Routing > Interfaces > Multipath Rules tab you can set rules for uplink bal-

ancing. The rules are applied to the active interfaces on the Uplink Balancing tab when there is

more than one interface to balance traffic between. Without multipath rules, all services are bal-anced by source, i.e., all traffic coming from one source uses the same interface, whereas traffic

from another source can be sent to another interface. Multipath rules allow you to change this

default interface persistence.

Note – Multipath rules can be set up for the service typesT CP, UDP, or IP.

To create a multipath rule, proceed as follows:

1. On the Multipath Rules tab, click New Multipath Rule.

The Create New Multipath Rule dialog box opens.


Name: Enter a descriptive name for the multipath rule.

Position: The position number, defining the priority of the rule. Lower numbers have

higher priority. Rules are matched in ascending order. Once a rule has matched, rules

with a higher number willnot be evaluated anymore. Place the more specific rules at the

top of the list to make sure that more vague rules match last.

Source: Select or add a source IP address or network to match.

Service: Select or add the network service to match.

Destination: Select or add a destination IP address or network to match.

Tip – How to add a definition is explained on the Definitions & Users > Network Defin-

itions > Network Definitions page.

UTM 9 WebAdmin 171





Itf. persistence: Interface persistence is a technique which ensures that traffic having

specificattributes is always routed over the same uplink interface. Persistence has a

default timeout of one hour, however you can change this timeout on the Uplink Balan-cing tab. You can decide what should be the basis for persistence:

l By connection: (default) Balancing is based on the connection, i.e., all traffic

belonging to a particular connection uses the same interface, whereas traffic of

another connection can be sent to another interface.

l By source: Balancing is based on the source IP address, i.e., all traffic coming

from one source uses the same interface, whereas traffic from another source can

be sent to another interface.

Note – Basically, persistence by source cannot work when using a proxy

because the original source information is lost. The HTTP proxy however isan

exception: Traffic generated by the HTTP proxy will match against the original cli-

ent source IP address and thus complies with interface persistence rules By

source, too.

l By destination: Balancing isbased on the destination IP address, i.e., all traffic

going to one destination uses the same interface, whereastrafficto another des-tination can be sent to another interface.

l By source/destination: Balancing is based on the source/destination IP

address combination, i.e., all traffic coming from a specific source A and going to a

specificdestination B uses the same interface. Traffic with another combination

can be sent to another interface. Also, please notice the note above.

l By interface: Select an interface from the Bind Interface drop-down list. All traffic

applying to the rule willbe routed over this interface. In case of an interface failure

and if no subsequent rules match, the connection falls back to default behavior.



Balanced to (not with persistence by interface): Add an interface group to the field. All

traffic applying to the rule will be balanced over the interfaces of this group. By default,

Uplink Interfaces is selected, so connections are balanced over all uplink interfaces.

Skip rule on interface error: If selected, in case of an interface failure, the next match-

ing multipath rule will be used for the traffic. If unselected, no other multipath rule willbe

172 UTM 9 WebAdmin



used for the defined traffic in case of an interface failure. This for example makes sense

when you want to ensure that SMTP traffic isonly sent from a specific static IP address to

prevent your emailsfrom being classified as spam by the recipients due to an invalidsender IP address.

4. Click Save.

The new multipath rule is added to the Multipath Rules list.

5. Enable the multipath rule.

The new rule is disabled by default (toggle switch is gray). Click the toggle switch to

enable the rule.

The rule is now enabled (toggle switch is green).

To either edit or delete a rule, click the corresponding buttons.

6.1.6 Hardware

The Interfaces & Routing > Interfaces > Hardware tab lists all configured interfaces showing

information such as the Ethernet mode of operation or the MAC address. On UTM hardware

devices, for each interface, auto negotiation can be enabled or disabled.

Auto Negotiation: Usually, the Ethernet mode of operation (1000BASE-T full-duplex,

100BASE-T full-duplex, 100BASE-T half-duplex, 10BASE-T full-duplex, 10BASE-T half-

duplex, and so on) between two network devices is automatically negotiated by choosing the

best possible mode of operation supported by both devices, where higher speed (e.g. 1000

Mbit/sec) is preferred over lower speed (e.g. 100 Mbit/sec), and full duplex is preferred over

half duplex at the same speed.

Caution – For proper 1000 Mbit/sec operation, auto negotiation isalways required and man-

datory by IEEE Std 802.3ab. Thus, be careful to never switch Auto Negotiation off for any inter-face with Link mode 1000BASE-T . The timing of your network link mayfail, causing service

degradation or failure. For 100 Mbit/sec and 10 Mbit/sec operation, auto negotiation is

optional, but still recommended for use whenever possible.

Auto negotiation is enabled by default. In the rare case that you need to switch it off, clickthe Edit

button of the corresponding interface card and change the setting in the appearing dialog box

Edit NIC Parameters via the drop-down list Link Mode. Note that the drop-down list is only avail-

able with UTM hardware devices. ClickSave to save your changes.

UTM 9 WebAdmin 173




6.2 Bridging 6 Interfaces & Routing

Caution – Be careful when disabling auto negotiation, as this might lead to mismatches, res-

ulting in a significant performance decrease or even disconnect. If the respective network inter-

face card is your interface to WebAdmin you may lose access to WebAdmin!

In case one of your interfaces lost its network link due to manipulation of auto negotiation or

speed settings, just changing the settings back will typically not bring the interface back to nor-

mal operation: Changing auto negotiation or speed settings on disconnected interfaces isnot

reliable. Therefore first switch on auto negotiation and then reboot UTM to bring back normal

operation.

HA Link Monitoring: If high availability is enabled, all configured interfaces are monitored for link status. In case of a link failure, a takeover is triggered. If a configured interface is not always

connected (e.g. management interface) please disable HA link monitoring for the cor-

responding interface. Otherwise all HA nodes will stayin status UNLINKED. To disable HA link

monitoring click the Edit button of the corresponding interface card and change the setting in the

appearing dialog box Edit NIC Parameters. Click Save to save your changes.

Set Virtual MAC: Sometimes it is usefulto be able to change the MAC address of a device. For

example, there are some ISPswhere the modem must be reset when the device connected to it

changesand by that the MAC address of that device. Bysetting the MAC address to the value of the former device, a reset of the modem can be avoided.

UTM, however, does not overwrite the originalMAC address of the device but instead sets a vir-

tual MAC address. To do so, clickthe Edit button of the corresponding interface card. In the

appearing dialog box Edit NIC Parameters, select the checkbox Set Virtual MAC and enter a

valid MAC address. Click Save to save your changes.

To restore the originalMAC address, click the Edit button of the corresponding interface card.

In the appearing dialog boxEdit NIC Parameters, unselect the checkbox Set Virtual MAC . Click

Save to save your changes.

6.2 BridgingBridging is a packet forwarding technique primarily used in Ethernet networks. Unlike routing,

bridging makes no assumptions about where in a network a particular address is located.

Instead, it depends on broadcasting to locate unknown devices.

174 UTM 9 WebAdmin



Through bridging, severalEthernet networks or segments can be connected to each other.

The data packetsare forwarded through bridging tables, which assign the MAC addresses to a

bridge port. The resulting bridge will transparently pass traffic acrossthe bridge interfaces.

Note – Such traffic must explicitly be allowed by means of appropriate firewall rules.

Note – Most virtual hosts do not permit MAC address changes or promiscuous mode by

default on their virtual interfaces. For bridging to work on virtual hosts, make sure that on the

virtual host MAC address validation is disabled and promiscuousmode is allowed.

6.2.1 StatusTo configure a bridge, proceed as follows:

1. Enable bridging on the Status tab.

On the Interfaces & Routing > Bridging > Status tab, click the toggle switch.

The toggle switch turns amber and the Bridge Configuration area becomeseditable.

2. Select the bridging mode.

You can choose between two bridging modes:

l Bridge all NICs: Select this option to have all non-configured ethernet network

interface cards joined to a bridge. Specifying a Convert Interface is mandatory with

this mode. All non-configured interfaces except for the Convert Interface will be

deleted.

l Bridge Selected NICs: You can select individual NICs that should form the

bridge. This requires that there are unused network interface cards available.

Select one or more of them to form the bridge. It is also possible to specify a Con-

vert Interface that will be copied to the new bridge.

Note – For link aggregation you can bridge two LAG interfaces, for example, by using

one of those two asa Convert Interface.

3. Select the interface that should be converted to a bridge.

Only an already configured interface can be selected. The bridge will inherit the address

settings of that interface, as well as alias addresses and VLAN settings.

UTM 9 WebAdmin 175

6 Interfaces & Routing 6.2 Bridging



6.2 Bridging 6 Interfaces & Routing

4. Click Create Bridge.

The network interfaces are being combined and the bridge is being activated (toggle

switch shows green).

To cancel the configuration, click the amber colored toggle switch.

Once the bridge hasbeen configured, the converted interface appears as a bridge device with

SysID br0on the Interfaces & Routing > Interfaces tab. All interfaces that are members of the

bridge are displayed in the Bridge Configuration area. To remove an interface from the bridge,

clear its checkboxand click Update Bridge.

Removing a Bridge

To remove the bridge, proceed as follows:

1. On the Status tab, click the toggle switch.

The toggle switch turns amber.

2. Click Confirm Removal of Bridge.

The toggle switch turns gray. The bridge has been successfully removed.

6.2.2 AdvancedOn the Interfaces & Routing > Bridging > Advanced tab, the following bridging optionscan be

configured:

Allow ARP broadcasts: Thisfunction allows you to configure whether globalARP broadcasts

should be forwarded by the bridge. If enabled, the bridge will allow broadcasts to the MAC des-

tination addressFF:FF:FF:FF:FF:FF. This, however, could be used by an alleged attacker to

gather various information about the network cards employed within the respective network

segment or even the security product itself. Therefore, the default setting isnot to let such broad-

casts pass the bridge.

Spanning Tree Protocol: Enabling this option will activate the Spanning Tree Protocol

(STP). Thisnetwork protocol detects and prevents bridge loops.

Caution – Be aware that the Spanning Tree Protocol is known to provide no security, there-

fore attackers may be able to alter the bridge topology.

Ageing Timeout: The amount of time in seconds after which an inactive MAC address will bedeleted. The default time is 300 seconds.

176 UTM 9 WebAdmin



Allow IPv6 Pass Th rough: Enabling this option will allow IPv6 traffic to passthe bridge

without any inspection.

Virtual MAC Address: Here you can enter a static MAC address for the bridge. By default(and as long as the entry is 00:00:00:00:00:00), the bridge uses the lowest MAC address of all

member interfaces.

Forwarded EtherTypes: By default, a bridge configured on the Sophos UTM onlyforwards IP

packets. If you want additional protocols to be forwarded, you have to add their EtherType to

this box. The types have to be entered as four-digit hexadecimal numbers. Popular examples

are AppleTalk (type 809B), Novell (type 8138), or PPPoE (types8863 and 8864). A typical use

case would be a bridge between your RED interfaces which should forward additional protocols

between the connected networks.

6.3 Quality of Service (QoS)Generally speaking, Quality of Service (QoS) refers to control mechanisms to provide better ser-

vice to selected network traffic, and to provide priority in terms of guaranteed bandwidths in par-

ticular. In Sophos UTM, priority traffic is configured on the Quality of Service (QoS) tabs, where

you can reserve guaranteed bandwidths for certain types of outbound network trafficpassing

between two pointsin the network, whereas shaping of inbound traffic is optimized internally by

various techniques such as Stochastic Fairness Queuing (SFQ) or Random Early Detection

(RED).

6.3.1 Status

The Quality of Service (QoS) > Status tab lists the interfaces for which QoS can be configured.

By default, QoS is disabled for each interface.

To configure QoS for an interface, proceed as follows:

1. Click the Edit button of the respective interface.

The Edit Interface dialog box opens.


Downlink kbit/sec/Uplink kbit/sec: Enter the uplink and downlink bandwidth (in

Kbit/s) provided by your ISP. For example, for a 5 Mbit/s Internet connection for both

uplink and downlink, enter 5120).

UTM 9 WebAdmin 177

6 Interfaces & Routing 6.3 Quality of Service (QoS)



6.3 Quality of Service (QoS) 6 Interfaces & Routing

If you have a fluctuating bandwidth, enter the lowest value that is guaranteed by your

ISP. For example, if you have a 5 Mbit/sInternet connection for both uplink and downlink

with a variation of 0.8 Mbit/s, enter 4300 Kbit/s. Note that if the available bandwidthbecomes temporarily higher than the configured lowest guaranteed value, the gateway

can make a projection taking the new bandwidth into account, so that the percentage

bandwidth for the priority traffic will be increased as well; unfortunately, this does not

work vice versa.

Limit Uplink: Selecting this option tellsthe QoS function to use the configured downlink

and uplink bandwidth as the calculation base for prioritizing traffic that passes this inter-

face. The Limit Uplink option is selected by default and should be used for the following

interface types:

l Ethernet Static interface (with a router sitting in between the gateway and the Inter-

net—the bandwidth provided by the router is known)

l Ethernet VLAN interface (with a router sitting in between the gateway and the

Internet—the bandwidth provided by the router isknown)

l DSL (PPPoE)

l DSL (PPPoA)

l Modem (PPP)

Clear the Limit Uplink checkbox for these interfaces whose traffic shaping calculation

base can be determined by the maximum speed of the interface. However, this only

applies to the following interface types:

l Ethernet Static interface (directly connected to the Internet)

l Ethernet VLAN interface (directlyconnected to the Internet)

l Ethernet DHCP

For interfaces with no specificuplink limit given, the QoS function shapesthe entire traffic

proportionally. For example, if you have configured 512 Kbit/s for VoIP traffic on a Eth-

ernet DHCP interface and the available bandwidth has decreased by half, then 256

Kbit/s would be used for this traffic (note that proportional shaping works in both dir-

ectionsin contrast to interfaces that rely on a fix maximum limit).

Download Equalizer: If enabled, Stochastic Fairness Queuing (SFQ) and Random

EarlyDetection (RED) queuing algorithms will avoid network congestion. In case the con-

178 UTM 9 WebAdmin



figured downlink speed is reached, packets from the most downlink consuming stream

will be dropped.

Upload Optimizer: If enabled, this option will automatically prioritize outgoing TCP con-

nection establishments (TCP packets with SYN flag set), acknowledgment packets of

TCP connections (TCP packets with ACK flag set and a packet length between 40 and

60 bytes) and DNS lookups (UDP packetson port53).

3. Click Save.


4. Enable QoS for the interface.

Click the toggle switch of the interface. The toggle switch turns green.

6.3.2 Traffic Selectors

A traffic selector can be regarded as a QoS definition which describes certain types of network

traffic to be handled by QoS. These definitionslater get used inside the bandwidth pool defin-

ition. There you can define how thistraffic gets handled by QoS, like limiting the overall band-

width or guarantee a certain amount of minimum bandwidth.

To create a traffic selector, proceed as follows:

1. On the T raffic Selector tab, click New Traffic Selector .

The Create New Traffic Selector dialog box opens.


Name: Enter a descriptive name for this traffic selector.

Selector type: You can define the following types:

l Traffic selector: Using a traffic selector, traffic will be shaped based on a single

service or a service group.

l Application selector: Using an application selector, traffic will be shaped based

on applications, i.e. which traffic belongs to which application, independent from

the port or service used.

l Group: You can group different service and application selectors into one traffic

selector rule. To define a group, there must be some already defined single select-

ors.

Source: Add or select the source network for which you want to enable QoS.

UTM 9 WebAdmin 179





Service: Only with Traffic selector . Add or select the network service for which you want

to enable QoS. You can select among various predefined services and service groups.

For example, select VoIP protocols (SIP and H.323) if you want to reserve a fixed band-width for VoIP connections.

Destination: Add or select the destination network for which you want to enable QoS.



Control by: Only with Application selector . Select whether to shape traffic based on its

application type or by a dynamic filter based on categories.

l Applications: The traffic is shaped application-based. Select one or more applic-

ations in the box Control these applications.

l Dynamic filter: The traffic is shaped category-based. Select one or more cat-

egories in the boxControl these categories.

Control these applications/categories: Only with Application selector . Click the

Folder icon to select applications/categories. A dialog window opens, which is described

in detail in the next section.

Productivity: Only with Dynamic filter . Reflects the productivity score you have

chosen.

Risk: Only with Dynamic filter . Reflects the risk score you have chosen.

Note – Some applications cannot be shaped. This isnecessary to ensure a flawless

operation of Sophos UTM. Such applications miss a checkbox in the application table of

the Select Application dialog window, e.g. WebAdmin, Teredo and SixXs (for IPv6

traffic), Portal (for User Portal traffic), and some more. When using dynamic filters,

shaping of those applications is also prevented automatically.



TOS/DSCP (only with selector type Traffic Selector ): In specialcases it can be useful to

distinguish traffic to be handled by QoS not only by its source, destination, and service but

additionally based on its TOS or DSCP flagsin the IP header.

180 UTM 9 WebAdmin



l Off: With this default option all traffic matching the source, service and destination

selected above will be handled by QoS.

l TOS bits: Select this option if you want to restrict the traffic handled by QoS to IPpackets with specificTOS bits (Type of Service) settings. You can choose between

the following settings:

l Normal service

l Minimize monetary cost

l Maximize reliability

l Maximize throughput

l Minimize delay

l DSCP bits: Select this option if you want to restrict the traffic handled by QoS to IP

packets with specificDSCP bits (Differentiated Services Code Point) settings. You

can either specify a single DSCP Value (an integer in the range from 0-63) or

select a predefined value from the DSCP Class list (e.g., BE default dscp

(000000)).

Amount of data sent/received: Select the checkbox if you want the traffic selector to

match based on the amount of bytestransferred by a connection so far. With thisfeature

you can e.g. limit the bandwidth of large HTTP uploadswithout constraining regular

HTTP traffic.

l Sent/Received: From the drop-down list, select More than to define the traffic

selector only for connections which exceed a certain amount of traffic. Select Less

than to define it for connections with less traffic so far.

l kByte: Enter the threshold for the amount of traffic.

Helper: Some services use dynamic port rangesfor data transmission. For each con-

nection, the ports to be used are negotiated between the endpointsvia a control channel.The UTM uses a special connection tracking helper monitoring the control channel to

determine which dynamic ports are being used. To include the traffic sent through the

dynamic ports in the traffic selector, select Any in the Service boxabove, and select the

respective service from the Helper drop-down list.

4. Click Save.

The new selector appears on the Traffic Selectors list.

If you defined many traffic selectors, you can combine multiple selectors inside a single traffic

selector group, to make the configuration more convenient.

UTM 9 WebAdmin 181





Thistraffic selector or traffic selector group can now be used in each bandwidth pool. These

pools can be defined on the Bandwidth Pools tab.

The Select Appl icat ion or Category D ia log Window

When creating application control rules you need to choose applications or application cat-

egories from a dialog window called Select one or more applications/categories to control .

The table in the lower part of the dialog window displays the applicationsyou can choose from

or which belong to a defined category. By default, all applications are displayed.

The upper part of the dialog window providesthree configuration optionsto limit the number of

applications in the table:

l Category: Applications are grouped by category. This list contains all available cat-

egories. By default, all categoriesare selected, which means that the table below displays

all applications available. If you want to limit the displayed applications to certain cat-

egories, click into the category list and select only one or more categories relevant to you.

l Productivity: Applications are also classified by their productivityimpact which means

how much they influence productivity. Example: Salesforce, a typical business software,

hasthe score 5 which means its usage adds to productivity. On the contrary, Farmville,

an online game, hasthe score 1 which means its usage is counterproductive. The net-

work service DNS has the score 3 which means its productivity impact isneutral.

l Risk: Applications are also classified by the risk they carry when used with regard to mal-

ware, virus infections, or attacks. A higher number means a higher risk.

Tip – Each application has an Info icon which, when clicked, displaysa description of the

respective application. You can search the table by using the filter field in the table header.

Now, depending on the type of control you selected in the Create New Traffic Selector dialog

box, do the following:

l Controlby dynamic filter: Select the categories from theCategory box and click Apply to

adopt the selected categoriesto your rule.

l Control by application: From the table, select the applications you want to control by click-

ing the checkbox in front. Click Apply to adopt the selected applications to your rule.

After clicking Apply , the dialog window closes and you can continue to edit the settingsof your

traffic selector rule.

182 UTM 9 WebAdmin



6.3.3 Bandwidth Pools

On the Quality of Service (QoS) > Bandwidth Pools tab you can define and manage bandwidth

pools for bandwidth management. With a bandwidth pool, you reserve a guaranteed band-

width for a specific outgoing traffic type, optionallylimited by a maximum bandwidth limit.

To create a bandwidth pool, proceed as follows:

1. On the Bandwidth Pools tab, select an interface.

From the Bound to interface drop-down list, select the interface for which you want to cre-

ate a bandwidth pool.

2. Click New Bandwidth Pool .

The Create New Bandwidth Pool dialog box opens.


Name: Enter a descriptive name for this bandwidth pool.

Position: The position number, defining the priority of the bandwidth pool. Lower num-

bershave higher priority. Bandwidth pools are matched in ascending order. Once a band-

width poolhas matched, bandwidth pools with a higher number will not be evaluated any-

more. Place the more specific pools at the top of the list to make sure that more vaguepools match last. For example, if you have configured a traffic selector for web traffic

(HTTP) in generaland for web traffic to a particular host, place the bandwidth pool that

uses the latter traffic selector on top of the bandwidth pool list, that is, select position 1 for

it.

Bandwidth: Enter the uplink bandwidth (in Kbit) you want to reserve for this bandwidth

pool. For example, if you want to reserve 1 Mbit/sfor a particular type of traffic, enter

1024.

Note – You can only assign up to 90 % of the entire available bandwidth to a bandwidth

pool. The gateway always reserves 10 % of the bandwidth for so-called unshaped

traffic. To stay with the example above, if your uplink Internet connection is 5 Mbit/sand

you want to assign as much bandwidth as possible to VoIP traffic, you can at most enter

a value of 4608 Kbit/s.

Specify upper b andwidth limit: The value you entered in the Bandwidth field above

represents the guaranteed bandwidth to be reserved for a specific kind of traffic.

UTM 9 WebAdmin 183





However, a bandwidth poolusually allocates more bandwidth for its traffic if available. If

you want a particular traffic not to consume more than a certain amount of your band-

width, select this option to restrict the allocation of bandwidth to be used by thisbandwidthpoolto an upper limit.

Traffic selectors: Select the traffic selectors you want to use for this bandwidth pool.


4. Click Save.

The new bandwidth pool appearson the Bandwidth Pools list.

5. Enable the rule.

The new rule is disabled by default (toggle switch is gray). Click the toggle switch toenable the rule.

The rule isnow enabled (toggle switch is green).

To either edit or delete a bandwidth pool, click the corresponding buttons.

6.3.4 Download Throttling

On the Quality of Service (QoS) > Download Throttling tab you can define and manage rulesto

throttle incoming traffic. If packets are coming in faster than the configured threshold, excess

packetswill be dropped immediately without being listed in the firewall rules log file. As a result of

TCP congestion avoidance mechanisms, affected senders should reduce their sending rates in

response to the dropped packets.

To create a download throttling rule, proceed as follows:

1. On the Download Throttling tab, select an interface.

From the Bound to interface drop-down list, select the interface for which you want to cre-

ate a download throttling rule.

2. Click New Download Throttling Rule.

The Create New Download Throttling Rule dialog box opens.


Name: Enter a descriptive name for this download throttling rule.



184 UTM 9 WebAdmin



with a higher number willnot be evaluated anymore. Place the more specific rules at the

top of the list to make sure that more vague rules match last.

Limit (kbit/s): The upper limit (in Kbit) for the specified traffic. For example, if you want

to limit the rate to 1 Mbit/sfor a particular type of traffic, enter 1024.

Limit: Combination of traffic source and destination where the above defined limit should

apply:

l shared: The limit isequally distributed between all existing connections. I.e., the

overall download rate of the traffic defined by this rule is limited to the specified

value.

l each source address: The limit applies to each particular source address.

l each destination address: The limit applies to each particular destination

address.

l each source/destination: The limit applies to each particular pair of source or

destination address.

Traffic selectors: Select the traffic selectorsfor which you want to throttle the download

rates. The defined limit will be divided between the selected traffic selectors.


4. Click Save.

The new download throttling rule appears on the Download Throttling list.

5. Enable the rule.


enable the rule.



6.3.5 Advanced

Keep class i ficat ion after encapsulation

Select this checkboxif you want to make sure that after encapsulation a packet will still match the

traffic selector of the original service if no other traffic selector matches.

The assignment of an encapsulated IP packet to a trafficselector worksas follows:

UTM 9 WebAdmin 185




6.4 Uplink Monitoring 6 Interfaces & Routing

1. The original IP packet is compared with the existing traffic selectors in the given order.

The packet is assigned to the first matching traffic selector (e.g., Internal -> HTTP ->

Any).

2. The IP packet gets encapsulated, and the service changes (e.g., to IPsec).

3. The encapsulated packet is compared with the existing traffic selectors in the given order.

The packet is assigned to the first matching traffic selector (e.g., Internal -> IPsec -> Any).

4. If no traffic selector matches, the assignment depends on the Keep classification after

encapsulation option:

l If the option is selected, the encapsulated packet will be assigned to the traffic

selector found in step 1.

l If the option is not selected, the encapsulated packet will not be assigned to any

traffic selector and therefore cannot be part of a bandwidth pool.

Explic i t Congest ion Not i ficat ion support

ECN (Explicit Congestion Notification) isan extension to the Internet Protocol and allows end-

to-end notifications of network congestion without dropping packets. ECN only worksif both

endpoints of a connection successfully negotiate to use it. Selecting this checkbox, the UTM will

send the information that it is willing to use ECN. If the other endpoint agrees, they will exchange

ECN information. Note that the underlying network and involved routers must support ECN as

well.

6.4 Uplink MonitoringThe menu Interfaces & Routing > Uplink Monitoring gives you the possibility to monitor your

uplink connection and to define certain actions which will be automatically applied in case the

connection status changes.

For example, you can automatically turn on a backup VPN tunnel using another link, or disable

an alias IP address so that it will trigger a monitoring service.

6.4.1 Global

On the Uplink Monitoring > Global tab you can enable or disable uplink monitoring.

To enable uplink monitoring, click the toggle switch.

The toggle switch turns green.

186 UTM 9 WebAdmin



If uplink monitoring is enabled, the Uplink Status section shows all current uplink interfaces and

their statuses:

l

ONLINE:The uplink connection is established and functional.

l OFFLINE: According to the monitoring, the uplinkconnection is defective.

l DOWN: Either the uplink interface isdisabled administratively, or—in case of a dynamic

interface—the remote PPP or DHCP server is not reachable.

l STANDBY:The interface is defined as a standbyinterface on the Interfaces > Uplink

Balancing tab, and it is currently not in use.

Note – If uplink balancing is enabled, the uplinkswill always be monitored, even if uplink mon-

itoring is disabled. Therefore, even if uplink monitoring is disabled, the uplink interfaces are dis-

played on this page when uplink balancing isenabled. In this case, the monitoring settingscan

be modified on the Interfaces > Uplink Balancing tab.

6.4.2 Actions

On the Interfaces & Routing > Uplink Monitoring > Actions tab you can define actionsthat will be

automatically applied in case the uplink connection status changes. For example, you might

want to disable an additional address, when your uplink connection isdown.

To create a new action, do the following:

1. On the Actions tab, click New Action.

The dialog box Create New Action If Uplink Goes Offline opens.


Name: Enter a descriptive name for the action.

Type: Select the connection type for which you want to define an action.

l IPsec tunn el:Select this option from the drop-down list if you want to define an

action for an IPsec tunnel.

l Additional address: Select this option from the drop-down list if you want to

define an action for an additionaladdress.

IPsec t unnel: (Only available with Type IPsec Tunnel .) If there are anyIPsec tunnels

defined, you can select one of them here. For more information on IPsec tunnels see

chapter Remote Access >IPsec .

UTM 9 WebAdmin 187

6 Interfaces & Routing 6.4 Uplink Monitoring



6.4 Uplink Monitoring 6 Interfaces & Routing

Add. address: (Only available with Type Additional Address.) If there are anyadditional

addresses defined, you can select one of them here. For more information on additional

addresses see chapter Interfaces & Routing > Interfaces > Additional Addresses.

Action: You can either select Enable or Disable here, which means that, in case of an

uplink interruption, the above selected IPsec tunnel or additional address is going to be

enabled or disabled.


3. Click Save.

The action will be saved and applied in case the uplink connection is interrupted.

To either edit or delete an action, click the corresponding buttons.

6.4.3 Advanced

On the Uplink Monitoring > Advanced tab you can disable automatic monitoring of the uplink con-

nection and define one or more hosts instead which are used for monitoring.

By default, Automatic monitoring is enabled to detect possible interface failures. This means

that the health of all uplink interfaces is monitored by having them contact a specific host on the

Internet at an interval of 15 seconds. By default, the monitoring host is the third ping-allowing

hop on the route to one of the root DNS servers. However, you can define the hosts for mon-

itoring the server pool yourself. For these hosts you can select another service instead of ping,

and modify the monitoring interval and timeout.

The monitoring hosts will then be contacted in certain periods and if none of them is reachable,

the uplink connection is regarded as down. Subsequently, the actions defined on the Actions tab

will be carried out.

Note – Automatically, the same monitoring settings are used for both uplink monitoring

(Uplink Monitoring > Advanced ) and uplink balancing (Interfaces > Uplink Balancing ).

To use your own hosts for monitoring, do the following:

1. Unselect the Au tomatic monitoring checkbox.

The Monitoring hosts box becomes editable.

188 UTM 9 WebAdmin



2. Add monitoring hosts.

Select or add one or more hosts that you want to use for monitoring instead of random

hosts. If an interface is monitored by more than one host, it will only be regarded as dead

if all monitoring hosts do not respond in the defined time span. How to add a definition is


Note – If a selected host is bound to an interface, it will only be used to monitor this inter-

face. If a host isnot bound to an interface, it willbe used to monitor all interfaces. Inter-

faces not covered by the selected hosts will be monitored by automatic monitoring.

Click the Monitoring Settings icon in the box header to set the monitoring details:

Monitoring type: Select the service protocol for the monitor checks. Select either TCP

(TCP connection establishment), UDP (UDP connection establishment), Ping (ICMP

Ping), HTTP Host (HTTP requests), or HTTPS Host (HTTPS requests) for monitoring.

When using UDP a ping request will be sent initially which, if successful, is followed by a

UDP packet with a payload of 0. If ping does not succeed or the ICMP port is unreach-

able, the connection isregarded as down.

Port (only with monitoring types TCP and UDP ): Port number the request will be sent to.

URL (optional, only with monitoring types HTTP/S Host ): URL to be requested. You can

use other ports than the default ports 80 or 443 by adding the port information to the

URL, e.g.,http://example.domain:8080/index.html . If no URL is entered, the

root directory will be requested.


Timeout: Enter a maximum time span in seconds for the monitoring hosts to send a

response. If all monitoring hosts of an interface do not respond during this time, the inter-

face will be regarded as dead.

3. Click Apply .


6.5 IPv6Since version 8, Sophos UTM supportsIPv6, the successor of IPv4.

The following functions of UTM fullyor partly support IPv6.

UTM 9 WebAdmin 189

6 Interfaces & Routing 6.5 IPv6



6.5 IPv6 6 Interfaces & Routing

l Access to WebAdmin and User Portal

l SSH

l NTP

l SNMP

l SLAAC (Stateless Address Autoconfiguration) and DHCPv6 client support for all

dynamic interface types

l DNS

l DHCP server

l BGP

l OSPF

l IPS

l Firewall

l NAT

l ICMP

l Server Load Balancing

l Web Filter

l Web Application Firewall

l SMTP

l IPsec (Site-to-site only)

l Syslog server

6.5.1 Global

On the IPv6 > Global tab you can enable IPv6 support for Sophos UTM. Moreover, if enabled,

IPv6 information is provided here, e.g., status information or prefix delegation information.

IPv6 support is disabled by default. To enable IPv6, do the following:

1. On the Global tab, enable IPv6.


The toggle switch turns green. If IPv6 has never been enabled or configured before, theConnectivity area displays the string None.

190 UTM 9 WebAdmin



As soon as IPv6 is enabled, you will find several network and other object definitions referring

explicitly to IPv6 around WebAdmin. You can generallyuse them as you are used to from IPv4

objects.

Note – If IPv6 is enabled, the iconsof network objects and the like bear an additional mark

that tells you whether the respective object isan IPv6 object or IPv4 object or both.

6.5.2 Prefix Advertisements

On the IPv6 > Prefix Advertisements tab you can configure your Sophos UTM to assign clients

an IPv6 address prefixwhich in turn enables them to pick an IPv6 address by themselves. Prefix

advertisement (or router advertisement) is an IPv6 feature where routers (or in this case the

UTM) behave like a DHCP server in IPv4, in a way. However, the routers do not assign IPs dir-

ectly to clients. Instead, clients in an IPv6 network assign themselves a so-called link-local

address for the primarycommunication with the router. The router then tells the client the prefix

for its network segment. Subsequently, the clients generate an IP address consisting of the pre-

fix and their MAC address.

To create a new prefix, do the following:

1. On the Prefix Advertisements tab, click New Prefix .

The dialog box Create New Prefix opens.


Interface: Select an interface that hasan IPv6 address with a 64 bit netmask configured.

DNS server 1/2 (optional): The IPv6 addresses of the DNS servers.

Domain (optional): Enter the domain name that will be transmitted to the clients (e.g.,

intranet.example.com).

Valid lifetime: The time the prefix is to be valid. Default is 30 days.

Preferred lifetime: The time after which another prefix, whose preferred lifetime has

not yet expired, is to be selected by the client. Default is7 days.

Other config (optional): This option is selected by default. It ensures that a given DNS

server and domain name are additionally announced via DHCPv6 for the given prefix.

This is useful since, at the moment, there are too few clients which are able to fetch the

DNS information from the prefixadvertisement (RFC 5006/ RFC 6106). Note that this

UTM 9 WebAdmin 191


http://tools.ietf.org/html/rfc6106





DHCPv6 configuration is hidden and therefore not visible or editable via the DHCP con-

figuration menu.


3. Click Save.

The new prefix configuration appears on the Prefix Advertisements list.

6.5.3 Renumbering

On the IPv6 > Renumbering tab you can allow automatic renumbering of IPv6 addresses man-

aged by the UTM in case of a prefix change. Additionally, you can renumber IPv6 addresses

manually.

The following IPv6 addresses will be modified:

l Hosts, networks, and range definitions

l Primary and secondary interface addresses

l DHCPv6 server rangesand mappings

l DNS mappings

An IPv6 prefix provided via tunnel brokerage will not be renumbered.

Automat ic IPv6 Renumbering

By default, IPv6 addresses managed by your UTM are automatically renumbered in the event

that the IPv6 prefix changes. Prefix changesare initiated by your ISP via DHCPv6 prefixdel-

egation. To deactivate renumbering, unselect the checkbox and click Apply .

Manual IPv6 Renumber ing

You can renumber particular IPv6 addresses managed by the UTM manually. This can be use-ful if you change your ISP, and your new provider assigns a new IPv6 prefix statically to you

instead of automatically via DHCPv6.

1. Specify the current prefix of the IPv6 addresses to be renumbered.

Enter the prefix into the Old prefix field.

2. Specify the new prefix.

Enter the prefix into the New prefix field.

3. Click Apply .

192 UTM 9 WebAdmin



All IPv6 addresses with the defined current prefix will be renumbered using the new pre-

fix.

6.5.4 6to4

On the IPv6 > 6to4 tab you can configure your Sophos UTM to automatically tunnel IPv6

addresses over an existing IPv4 network. With 6to4, every IPv4 address has a /48prefixfrom

the IPv6 network to which it is mapped. The resulting IPv6 address consists of the prefix2002

and the IPv4 address in hexadecimal notation.

Note – You can either have 6to4 enabled or T unnel Broker .

To enable IP address tunneling for a certain interface, do the following:

1. On the 6to4 tab, enable 6to4.


The toggle switch turns amber and the 6to4 area and the Advanced area become edit-

able.

2. Select an interface.

Select an interface from the Interface drop-down list which has a public IPv6 address con-

figured.

3. Click Apply .

Your settings will be saved. The interface status isdisplayed on the Global tab.

Advanced

You can change the Server Address to use a different 6to4 relay server. Proceed as follows:

1. Enter a new server address.

2. Click Apply .


6.5.5 Tunnel Broker

On the IPv6 > Tunnel Broker tab you can enable the use of a tunnel broker. Tunnel brokerage is

a service offered by some ISPs which allows you to access the Internet using an IPv6 address.

Note – You can either have 6to4 enabled or T unnel Broker .

UTM 9 WebAdmin 193





Sophos UTM supportsthe following tunnel brokers:

l Teredo (only anonymous)

l Freenet6 (byGoGo6) (anonymous or with user account)

l SixXS(user account necessary)

l Hurricane Electric(user account necessary)

To use a tunnel broker, do the following:

1. On the Tunnel Broker tab, enable the use of tunnel broker.


The toggle switch turns green and the TunnelBroker area and the Advanced areabecome editable. The tunnel broker is immediately active using anonymous authen-

tication at Teredo. The connection status is displayed on the Global tab.

If you use SixXS tunnels and the IPv6 connection gets lost the SixXS tunnels do not restart auto-

matically. In this case check the log files which appear in Logging & Reporting > View Log Files >

Today's Log Files.

Tunnel Broker

You can change the default tunnel broker settings.

Authentication: Select an authentication method from the drop-down list.

l Anonymous: Using this method you do not need a user account at the respective

broker. The IP address assigned will be, however, temporary.

l User: You need to register at the respective broker to get a user account.

Broker: You can select another broker from the drop-down list.

Username (only available with User ): Provide your username for the respective broker.

Password (only available with User ): Provide your password for the username.


Advanced

Here you can provide another server address for your selected tunnel broker.


194 UTM 9 WebAdmin

https://www.tunnelbroker.net/

https://www.tunnelbroker.net/

http://www.sixxs.net/

http://www.gogo6.com/



6.6 Static RoutingEvery computer connected to a network uses a routing table to determine the path along which

an outbound data packet must be sent to reach its destination. For example, the routing table

contains the information whether the destination address ison the local network or if the data

packet must be forwarded to a router. If a router is involved, the table contains information

about which router is to be used for which network.

Two types of routes can be added to the routing table of Sophos UTM: standard static routes

and policy routes. With static routes, the routing target isexclusively determined by the packet's

destination address. With policy routes, however, it ispossible to make routing decisions based

on the source interface, source address, service, or destination address.

Note – You do not need to set additional routes for networks attached to UTM's interfaces, as

well as default routes. The system inserts these routesautomatically.

6.6.1 Standard Static Routes

The system automatically inserts routing entries into the routing table for networks that are dir-

ectly connected to the system. Manualentries are necessary in those cases where there isan

additionalrouter which is to be accessed via a specific network. Routes for networks, that are

not directly connected and that are inserted to the routing table via a command or a con-

figuration file, are called static routes.

To add a standard static route, proceed as follows:

1. On the Standard Static Routes tab click New Static Route.

The Create New Static Route dialog box opens.


Route type: The following route types are available:

l Interface route: Packetsare sent out on a particular interface. This isusefulin

two cases. First, for routing on dynamic interfaces (PPP), because in this case the

IP address of the gateway is unknown. Second, for defining a default route having

a gateway located outside the directly connected networks.

l Gateway route:Packets are sent to a particular host (gateway).

UTM 9 WebAdmin 195

6 Interfaces & Routing 6.6 Static Routing



6.6 Static Routing 6 Interfaces & Routing

l Blackhole route: Packets are discarded silently. This isuseful in connection with

OSPF or other dynamic adaptive routing protocols to avoid routing loops, route

flapping, and the like.

Network: Select the destination networks of data packets UTM must intercept.

Interface: Select the interface through which the data packetswill leave UTM (only avail-

able if you selected Interface Route as route type).

Gateway: Select the gateway/router to which UTM will forward data packets (only avail-

able if you selected Gateway Route as route type).


3. Optionally, make the following advanced setting:

Metric: Enter a metric value which can be an integer from 0 to 4294967295 with a

default of 5. The metricvalue is used to distinguish and prioritize routes to the same des-

tination. A lower metric value ispreferred over a higher metric value. IPsec routesauto-

matically have the metric 0.

4. Click Save.

The new route appearson the Standard Static Route list.

5. Enable the route.Click the toggle switch to activate the route.

To either edit or delete a route, click the corresponding buttons.

6.6.2 Policy Routes

When a router receives a data packet, it normallydecides where to forward it based on the des-

tination address in the packet, which is then used to lookup an entry in a routing table. However,

in some cases, there may be a need to forward the packet based on other criteria. Policy-basedrouting allows for forwarding or routing of data packets according to your own policies.

To add a policy route, proceed as follows:

1. On the Policy Routes tab click New Policy Route.

The Create New PolicyRoute dialog box opens.


196 UTM 9 WebAdmin



Position: The position number, defining the priority of the policyroute. Lower numbers

have higher priority. Routes are matched in ascending order. Once a route has matched,

routeswith a higher number will not be evaluated anymore.






l Gateway route: Packets are sent to a particular host (gateway).

Source interface: The interface on which the data packet to be routed has arrived. The Any setting applies to all interfaces.

Source network: The source networkof the data packets to be routed. The Any setting

applies to all networks.

Service: The service definition that matches the data packet to be routed. The drop-

down list contains all predefined services as well as the services you have defined your-

self. These services allow you to specify precisely which kind of traffic should be pro-

cessed. The Any setting matches any combination of protocols and source and des-

tination ports.

Destination network: The destination network of the data packetsto be routed. The

Any setting applies to all networks.

Target interface: The interface for the data packets to be sent to (only available if you

selected Interface Route as route type).

Gateway: Select the gateway/router to which the gateway will forward data packets

(only available if you selected Gateway Route as route type).


3. Click Save.

The new route appearson the Policy Routes list.

4. Enable the route.

Click the toggle switch to activate the route.

To either edit or delete a route, click the corresponding buttons.

UTM 9 WebAdmin 197

6 Interfaces & Routing 6.6 Static Routing



6.7 Dynamic Routing (OSPF) 6 Interfaces & Routing

6.7 Dynamic Routing (OSPF)The Open Shortest Path First (OSPF) protocol is a link-state hierarchical routing protocol

primarilyused within larger autonomous system networks. Sophos UTM supportsOSPF ver-

sion 2. Compared to other routing protocols, OSPF uses cost as its routing metric. The cost of

an OSPF-enabled interface isan indication of the overhead required to send packetsacross a

certain interface. The cost of an interface is inversely proportional to the bandwidth of that inter-

face. Therefore, a higher bandwidth indicates a lower cost. For example, there is more over-

head (higher cost) and time delays involved in crossing a 56 Kbit/s serial line than crossing a 10

Mbit/s Ethernet line.

The OSPF specification does not specify how the cost of an attached network should be com-

puted—this isleft to the vendor. Therefore you are free to define your own computation for-

mula. However, if your OSPF network isadjacent to other networks that have cost already

defined, you are advised to applythe same computation base.

By default, the cost of an interface is calculated based on the bandwidth. Cisco, for example,

computes the cost by dividing 108 through the bandwidth of the interface in bits per second.

Using this formula, it will cost 108/10000000 = 10 to cross a 10 Mbit/s Ethernet line, whereas it

will cost 108/1544000 = 64 to cross a 1.544 Mbit/s line (T1) (note that the cost is rounded down

to the nearest integer).

6.7.1 Global

On the Interfaces & Routing > Dynamic Routing (OSPF) > Global tab you can make the basic

settingsfor OSPF. Before you can enable the OSPF function, you must have at least one OSPF

area configured (on the Area tab).

Caution – Configuring the OSPF function of Sophos UTM requires a technically adept and

experienced administrator who isfamiliar with the OSPF protocol. The descriptions of con-

figuration options given here are by far not sufficient to provide a comprehensive under-

standing of the OSPF protocol. You are thus advised to use this feature with caution, as a mis-

configuration may render your network inoperable.

To configure OSPF, proceed as follows:

198 UTM 9 WebAdmin



1. On the Area tab, create at least one OSPF area.

2. On the Global tab, enable OSPF.


The toggle switch turns amber and the Router area becomes editable.

3. Enter the router ID.

Enter a unique router ID to identify the Sophos UTM device to other OSPF routers.

4. Click Apply .


To disable OSPF click the toggle switch.

6.7.2 Area

An OSPF network is divided into areas. These are logical groupings of routers whose inform-

ation may be summarized towardsthe rest of the network. Areas are identified by a 32-bit ID in

dot-decimal notation similar to the notation of IP addresses.

Altogether, there are six types of OSPF areas:

l

Backbone: The area with ID 0 (or 0.0.0.0) is reserved for the OSPF network back-bone, which forms the core of an OSPF network—all other areas are connected to it.

l Normal: A normal or regular area has a unique ID ranging from 1 (or 0.0.0.1) to

4,294,967,295 (or 255.255.255.255). Normal areas handle external routes by flooding

them bi-directionally across the Area Border Router (ABR). Note that external routes are

defined as routeswhich were distributed in OSPF from another routing protocol.

l Stub: Typically, a stub area does not have direct connectionsto anyexternal networks.

Injecting external routes into a stub area is unnecessary because all traffic to external net-

works must be routed through an Area Border Router (ABR). Therefore, a stub areasubstitutes a default route for externalroutesto send traffic to externalnetworks.

l Stub No-Summary: A Stub No-Summary or totally stubby area is similar to a stub area,

however thisarea does not allow so-called summary routes, that is, it restricts type 3 sum-

mary link state advertisements (LSAs) from flowing into the area.

l NSSA: A not-so-stubby area (NSSA) is a type of stub area that in contrast to stub areas

can support external connections. Note that NSSAs do not support virtual links.

UTM 9 WebAdmin 199

6 Interfaces & Routing 6.7 Dynamic Routing (OSPF)




l NSSA No-Summary: A NSSA No-Summary is similar to a NSSA, however this area

does not allow so-called summary routes, that is, it restricts type 3 summary link state

advertisements (LSAs) from flowing into the area.

To create an OSPF area, proceed as follows:

1. On the Area tab, click New OSPF Area.

The Create New OSPF Area dialog box opens.


Name: Enter a descriptive name for the area.

Area ID: Enter the ID of the area in dot-decimal notation (e.g.,0.0.0.1 for a normal

area or 0.0.0.0 for the backbone area).

Area Type: Select an area type (see description above) to specify the characteristics of

the network that will be assigned to the area in question.

Auth-Type: Select the authentication type used for allOSPF packets sent and received

through the interfaces in the area. The following authentication types are available:

l MD5: Select to enable MD5 authentication. MD5 (Message-Digest algorithm 5) is

a widely-used cryptographic hash function with a 128-bit hash value.

l

Plain-Text: Select to enable plain-text authentication. The password is trans-mitted in clear text over the network.

l Off: Select to disable authentication.

Connect Via Interface: Select an OSPF-enabled interface. Note that to specify an

OSPF-enabled interface here it must have been created on the Interfaces tab first.

Connect Virtual Links: All areas in an OSPF autonomous system(AS) must be phys-

ically connected to the backbone area (area 0). In some cases where this physical con-

nection is not possible, you can use a virtual link to connect to the backbone through a

non-backbone area. In the Connect Virtual Links box, enter the router ID associated with

the virtual link neighbor in decimal dot notation (e.g.,10.0.0.8).

Cost: The cost of sending or receiving a data packet in thisarea. Valid values for cost are

in the range from 1 to 65535.


3. Click Save.

The new area definition appears on the Area tab.

To either edit or delete an OSPF area, click the corresponding buttons.

200 UTM 9 WebAdmin



Open Live Log: The OSPF live log logs all activities on the OSPF interface. Click the button to

open the live log in a new window.

6.7.3 Interfaces

On the Interfaces & Routing > Dynamic Routing (OSPF) > Interfaces tab you can create inter-

face definitions to be used within an OSPF area. Each definition contains various parameters

that are specific for OSPF-enabled interfaces.

To create an OSPF interface definition, proceed as follows:

1. On the Interfaces tab, click New OSPF Interface.

The Create New OSPF Interface dialog box opens.


Name: Enter a descriptive name for this interface.

Interface: Select the interface to associate with this OSPF interface definition.

Auth-Type: Select the authentication type used for allOSPF packets sent and received

through this interface. The following authentication types are available:

l MD5: Select to enable MD5 authentication. MD5 (Message-Digest algorithm 5) is

a widely-used cryptographic hash function with a 128-bit hash value.

l Plain-Text: Select to enable plain-text authentication. The password istrans-

mitted in clear text over the network.

l Off: Select to disable authentication.

Message Digest: Select the message digest (MD) to specify that MD5 authentication is

used for this OSPF interface. Note that to select a message digest here it must have been

created on the Message Digests tab first.

Cost: The cost of sending a data packet on this interface. Valid values for cost are in the

range from 1 to 65535.

Advanced Options (optional): Selecting the Advanced Options checkbox will reveal fur-

ther configuration options:

l Hello Interval: Specify the period of time (in seconds) that Sophos UTM waits

between sending Hello packets through this interface. The default value isten

seconds.

UTM 9 WebAdmin 201





l Retransmit Interval: Specify the period of time (in seconds) between link state

advertisement (LSA) retransmissions for the interface when an acknowledgment

for the LSA isnot received. The default value is five seconds.

l Dead Interval: Specify the period of time (in seconds) SophosUTM waits to

receive a Hello data packet through the interface. The default value is 40 seconds.

By convention, the Dead Interval value isfour times greater than the value for the

Hello Interval .

l Priority: Specify the router priority, which is an 8-bit number ranging from 1 to 255

primarily used in determining the designated router (DR) for the particular net-

work. The default value is 1.

l Transmit Delay: Specify the estimated period of time (in seconds) it takes to trans-mit a linkstate update packet on the interface. The range is from 1 to 65535

seconds; the default value is 1.


3. Click Save.

The OSPF interface definition appears on the Interfaces tab.

To either edit or delete an OSPF interface, click the corresponding buttons.

Open Live Log: The OSPF live log logs all activities on the OSPF interface. Click the button to

open the live log in a new window.

6.7.4 Message Digests

On the Interfaces & Routing > Dynamic Routing (OSPF) > Message Digests tab so-called mes-

sage digest keys can be generated. Message digest keys are needed to enable MD5 authen-

tication with OSPF. MD5 authentication uses the password to generate a message digest,

which is a 128-bit checksum of the data packet and password. The message digest is sent with

the data packet along with a key ID associated with the password.

Note – The receiving routers must be configured with an identical message digest key.

To create a message digest key, proceed as follows:

1. On the Message Digest tab, click New Message Digest Key .

The Create New Message Digest Key dialog box opens.

202 UTM 9 WebAdmin




ID: Enter the key identifier for this message digest key; the range is from 1 to 255.

MD5-key: Enter the associated password, which must be a string of up to 16 alpha-numeric characters.

3. Click Save.

The new key appearson the Message Digests list.

To either edit or delete a digest key, click the corresponding buttons.

6.7.5 Debug

The Interfaces & Routing > Dynamic Routing (OSPF) > Debug tab shows detailed information

about relevant OSPF parameters in a separate browser window. The following information is

available:

l Show IP OSPF Neighbo r:Used to display OSPF neighbor information on a per-inter-

face basis.

l Show IP OSPF Routes: Used to display the current state of the routing table.

l Show IP OSPF Interface: Used to display OSPF-related interface information.

l Show IP OSPF Database: Used to display lists of information related to the OSPF data-

base for a specific router.

l Show IP OSPF Border-Rout ers:Used to display the internalOSPF routing table

entries to an Area Border Router (ABR) and Autonomous System Boundary Router

(ASBR).

6.7.6 Advanced

On the Interfaces & Routing > Dynamic Routing (OSPF) > Advanced tab further OSPF-related

configuration options are located concerning the injection (redistribution) of routing information

from a domain other than OSPF into the OSPF domain.

Note – Policy routes cannot be redistributed.

Redistribute connected: Select if you want to redistribute routes of directly connected net-

works; the default metric (cost) value is 10.

Redistribute static: Select if you want to redistribute static routes.

UTM 9 WebAdmin 203




6.8 Border GatewayProtocol 6 Interfaces & Routing

Note – IPsec tunnels must have Strict Routing disabled to be redistributed (see chapter Con-

nections).

Redistribute IPsec: Select if you want to redistribute the IPsec routes; thebind to interface

option should be disabled.

Redistribute SSL VPN: Select if you want to redistribute SSL VPN; the default metric (cost)

value is10.

Redistribute BGP: Select if you want to redistribute BGP routes; the default metric (cost)

value is10.

Announce default route: Select if you want to redistribute a default route into the OSPF

domain.

Note – A default route will be advertised into the OSPF domain regardlessof whether it has a

route to0.0.0.0/0.

Interface link detection: Select if routes on interfaces should only be announced if an inter-

face link is detected.

6.8 Border Gateway ProtocolThe Border GatewayProtocol (BGP) is a routing protocol used mainly by Internet Service Pro-

viders (ISP) to enable communication between multiple autonomous systems (AS), that is

between multiple ISPs, thus being the backbone of the Internet. An autonomous system is a col-

lection of connected IP networks controlled by one or more ISPs and connected via an internal

routing protocol (e.g. IGP). BGP is described as path vector protocol and, in contrast to IGP,makes routing decisions based on path, network policies, and/or rulesets. For this reason it can

be regarded as a reachability protocol rather than a routing protocol.

Each ISP (or other network provider) must have an officiallyregistered Autonomous System

Number (ASN) to identify themselves on the network. Although an ISP may support multiple

autonomous systemsinternally, to the Internet only the routing protocol is relevant. ASN with a

number of the range 64512-65534 are private and can only be used internally.

BGP uses TCP asthe transport protocol, on port 179.

204 UTM 9 WebAdmin



When BGP is used between routers of a single AS it's called interior BGP (iBGP); when it isused

between routers of different AS it is called exterior BGP (eBGP).

A strength of eBGP is that it prevents routing loops, that is an IP packet never passes an AStwice. Thisis accomplished in the following way: An eBGP router maintains a complete list of all

AS an IP packet needs to pass to reach a certain network segment. When sending, it shares

that information with neighbor eBGP routers which in turn update their routing list if necessary.

When an eBGP router finds that it isalready on such an UPDATE list it does not add itself again.

6.8.1 Global

On the Border Gateway Protocol > Global page, you can enable and disable BGP for the UTM.

1. To be able to enable BGP, create at least one neighbor on th e Neighbor page.

2. On the Global page, enable BGP.

Click the toggle switch. The toggle switch turns amber and the BGP System section

becomes editable.


AS Number: Enter the Autonomous System Number (ASN) of your system.

Router ID: Enter an IPv4 address as router ID which is sent to neighbors during sessioninitialization.

Networks: Add or select the networks that should be announced to the neighbors by the

system. How to add a definition is explained on the Definitions& Users > Network Defin-


4. Click Apply .

The toggle switch turns green and BGP becomes active. After a short time, the

BGP Summary section displays status information.

6.8.2 Systems

On the Border Gateway Protocol > Systems page you can create an environment with multiple

autonomous systems.

Note – This page is only accessible if you enable the use of multiple AS on the Advanced

page.

UTM 9 WebAdmin 205

6 Interfaces & Routing 6.8 Border GatewayProtocol




To create a new BGP system, do the following:

1. On the Systems page, click New BGP System.

The Create a new BGP System dialog box opens.


Name: Enter a descriptive name for the system.

ASN: Enter the Autonomous System Number (ASN) of your system.

Router ID: Enter an IPv4 address as router ID which issent to neighbors during session

initialization.

Neighbor: Select the checkboxes of those neighbors who belong to the AS of this sys-

tem. Note that you need to create the neighbors beforehand on the Neighbor page.

Networks: Add or select the networks that should be announced by the system. How to

add a definition is explained on the Definitions& Users > Network Definitions> Network

Definitions page.

Install Routes: This option is enabled by default and should only be disabled if you want

a BGP router to know the routes but not to actively take part in the BGP routing process. If

there are multiple AS systems where this option is selected, filter lists must be created to

ensure that there are no duplicate networks. Otherwise the routing behavior for identical

networks is undefined.

3. Click Save.

The system appearson the Systems list.

6.8.3 Neighbor

On the Border Gateway Protocol > Neighbor page, you can create one or more BGP neighbor

routers. A neighbor router (or peer router) builds the connection between multiple autonomoussystems (AS) or within a single AS. During the first communication, two neighbors exchange

their BGP routing tables. After that theysend each other updates about changes in the routing

table. Keepalive packetsare sent to ensure that the connection is up. In case of errors, noti-

fications packets are sent.

Policy routing in BGP differentiates between inbound and outbound policies. This is why defined

route maps and filter lists can be applied separately for inbound or outbound traffic.

You need to create at least one neighbor router to be able to enable BGP on the Global page.

To create a new BGP neighbor, do the following:

206 UTM 9 WebAdmin



1. On the Neighbor page, click New BGP Neighbor .

The Create a new BGP neighbor dialog box opens.

2. Make the following settings:Name: Enter the name of the BGP neighbor router.

Host: Add or select the host definition of the neighbor. The defined IP address must be

reachable from the UTM. How to add a definition is explained on the Definitions & Users

> Network Definitions > Network Definitions page.

Remote ASN: Enter the Autonomous System Number (ASN) of the neighbor.

Authentication: If the neighbor requires authentication, select TCP MD5 Signature

from the drop-down list and enter the password which must correspond to the passwordthe neighbor has set.

3. Make the following advanced settings, if required:

Route in/out: If you have defined a route map, you can select it here. With In or Out you

define whether to apply the route map to ingoing or outgoing announcements.

Filter in/out: If you have defined a filter list, you can select it here. With In or Out you

define whether to apply the filter to ingoing or outgoing announcements.

Next-Hop-Self: In an iBGP network, when a router announces an external eBGP net-work internally, iBGP routers with no direct external connection will not know how to route

packets to that network. Selecting this option, the eBGP router announces itself as next

hop to reach the external network.

Multihop: In some cases, a Cisco router can run eBGP with a third-party router that

does not allow direct connection of the two external peers. To achieve the connection,

you can use eBGP multihop. The eBGP multihop allows a neighbor connection between

two external peers that do not have direct connection. The multihop is only for eBGP and

not for iBGP.

Soft-Reconfiguration: Enabled by default. This option enables storing updates sent by

the neighbor.

Default Originate: Sends the default route 0.0.0.0 to the neighbor. The neighbor uses

this route only if he needs to reach a networkthat is not in his routing table.

Weight: Cisco-specific option. Sets a generic weight for all routes learned from this

neighbor. You can enter a value between 0 and 65535. The route with the highest weight

UTM 9 WebAdmin 207





is preferred to reach a particular network. The weight given here overridesroute map

weight.

4. Click Save.

The neighbor appears on the Neighbor list.

6.8.4 Route Map

In BGP, route-map is a command to set conditionsfor redistributing routes and to enable policy

routing. On the Border Gateway Protocol > Route Map page, you can create route maps for par-

ticular networks, setting metric, weight, and/or preference values.

The best path algorithm, which decideswhich route to take, works as follows:

1. Weight is checked.*

2. Local preference is checked.*

3. Local route is checked.

4. AS path length is checked.

5. Origin is checked.

6. Metric is checked.*

This is only a short description. Since the calculation of the best path is very complex, please

refer to pertinent documentation for detailed information which is available on the Internet.

The items followed by an asterisk (*) can be directly configured.

To create a BGP route map, do the following:

1. On the Route Map page, click New BGP Route Map.

The Create a new BGP Route Map dialog box opens.


Name: Enter a descriptive name for the route map.

Match By: Select whether the route map should match the IP address of a particular

router or a whole AS.

l IP Address: In the Networks box, add or select hosts or networksthe filter should

apply to. How to add a definition is explained on the Definitions& Users > Network

Definitions > Network Definitionspage.

208 UTM 9 WebAdmin



l AS Number: In the AS Regex box, use BGP regular expressions to define AS

numbers the filter should apply to. Example:_100_matches any route going

through AS100.

Networks: Add or select networks and/or hosts the route map should apply to. How to

add a definition is explained on the Definitions& Users > Network Definitions > Network

Definitions page.

Metric: By default, a router dynamically learns route metrics. However, you can set your

own metric value which can be an integer from 0 to 4294967295. A lower metric value is

preferred over a higher metric value.

Weight: Weight is used to select a best path. It is specified for a specific router and it is

not propagated. When multiple routes to the same destination exist, routes with a higher

weight value are preferred. Weight is based on the first matched ASpath and can be an

integer from 0 to 4294967295.

Note – If a neighbor has been given a weight, it overrides the route map weight if the

route to a specified network matches.

Preference: You can set a preference value for the ASpath which is sent only to all

routers in the local AS. Preference (or local preference) tells the routers in an AS which

path has to be preferred to reach a certain networkoutside the AS. It can be an integer

from 0 to 4294967295 and the default is 100.

AS Prepend: AS path prepending is used if preference settings for some reason do not

suffice to avoid a certain route, for example a backup route which should only be taken in

case the main route is unavailable. It allows you to extend the AS path attribute by repeat-

ing your own AS number, e.g. 65002 65002 65002. This influences the BGP route

selection since the shortest AS path is preferred. Note that route maps with AS prependset need to be selected in the Route Out field of a neighbor to work as intended.

3. Click Save.

The route map appears on the Route Map list.

You can now use the route map on a neighbor definition.

UTM 9 WebAdmin 209





6.8.5 Filter List

On the Border Gateway Protocol > Filter List page you can create filter lists used to regulate

traffic between networks based on IP address or AS number.

To create a filter list, do the following:

1. On the Filter List page, click New BGP Filter List .

The Create a new BGP Filter List dialog box opens.


Name: Enter a descriptive name for the filter list.

Filter By: Select whether the filter should match the IP address of a particular router or a

whole AS.

l IP Address: In the Networks box, add or select hosts or networksthe filter should

apply to. How to add a definition is explained on the Definitions& Users > Network


l AS Number: In the AS Regex box, use BGP regular expressions to define AS

numbers the filter should apply to. Example:_100_matches any route going

through AS100.

Networks: Add or select networks and/or hosts that should be denied or permitted

information on certain networks. How to add a definition is explained on the Definitions &

Users > Network Definitions > Network Definitions page.

Action: From the drop-down list, select an action that should be taken if a filter matches.

You can either deny or permit traffic.

l Deny: If you deny a network for a particular neighbor via the Filter In field on the

Neighbor page, the UTM willignore announcementsfor that network. If you do thesame via the Filter Out field, the UTM will not send announcements to that neigh-

bor for that network.

l Permit: If you permit a network for a particular neighbor via the Filter In field on the

Neighbor page, the UTM willreceive announcements for that network only. If you

do the same via the Filter Out field, the UTM will send announcements to that

neighbor for that network only, but not for any other network you might have

defined on the Global or Systemspage.

3. Click Save.The filter list appears on the Filter List list.

210 UTM 9 WebAdmin



You can now use the filter list on a neighbor definition.

6.8.6 AdvancedOn the Border Gateway Protocol > Advanced page you can make some additional settingsfor

BGP and you can access BGP debug information windows.

Allow Mult ip le Autonomous Systems

Allow multiple AS: Select this checkbox if you want to configure multiple AS. This will enable

the Systems page, where you can then add multiple AS. At the same time, the BGP System sec-

tion on the Global page will be disabled, and the Global page will display information for all AS.

St ri ct IP Address Match

Strict IP address match: Select this checkbox to strictly match IP addresses. Example:

10.0.0.0/8 will only match 10.0.0.0/8, but not 10.0.1.0/24.

Mult ip le Path Rout ing

Normally only one route path is used, even if there are multiple routes with the same cost. If

selected, up to eight equal routes can be used at the same time. This allows load balancing

between multiple interfaces.

BGP Debug

This section provides accessto three debug information windows. Clicka button to open a win-

dow. The name of a button corresponds to the BGP command you would normally invoke on

the command line. The window will then display the result of that command in form of a com-

mand line output.

Show IP BGP Neighbor: Displays information on the neighbors of the UTM. Check that the

link state for each neighbor is Established .

Show IP BGP Unicast: Displays the current BGP routing table which gives the preferred

paths. This isespecially useful to get an overview of your metric, weight, and preference set-

tings and their impact.

Show IP BGP Summary: Displays the statusof all BGP connections. Thisinformation is also

displayed in the BGP Summary section on the Global page.

UTM 9 WebAdmin 211




6.9 Multicast Routing (PIM-SM) 6 Interfaces & Routing

6.9 Multicast Routing (PIM-SM)The menu Interfaces & Routing > Multicast Routing (PIM-SM) enables you to configurePro-

tocol Independent Multicast Sparse Mode (PIM-SM) for use on your network. PIM is a protocol

to dynamically route multicast packets in networks. Multicast is a technique to deliver packets

that are to be received by more than one client efficiently using as little traffic as possible.

Normally, packets for more than one client are simply copied and sent to every client individually,

multiplying the consumed bandwidth by the number of users. Thusservers which have a lot of

clients requesting the same packets at the same time, like e.g. servers for streaming content,

need a lot of bandwidth.

Multicast, in contrast, saves bandwidth by sending packets only once over each link of the net-

work. To achieve this, multicast includesadequately configured routers in the decision when to

create copies on the way from the server (sender) to the client (receiver). The routers use PIM-

SM to keep track of active multicast receiver(s) and use this information to configure routing.

A rough scheme of PIM-SM communication is as follows: A sender starts transmitting its mul-

ticast data. The multicast router for the sender registers via PIM-SM with the RP router which in

turn sends a join message to the sender's router. Multicast packetsnow flow from the sender to

the RP router. A receiver registers itself via an IGMP broadcast for this multicast group at its

local PIM-SM router. This router sends a join request for the receiver towards the RP router,

which then in turn forwardsmulticast traffic to the receiver.

Multicast has its own IP address range which is224.0.0.0/4.

6.9.1 Global

On the Multicast Routing (PIM-SM) > Global tab you can enable and disable PIM. The Routing Daemon Settings area displays the status of interfaces and routers involved.

Before you can enable PIM you need to define at least two interfaces to serve as PIM interfaces

on the Interfaces tab and one router on the RP Routers tab.

To enable PIM-SM, do the following:

1. On the Global tab enable PIM-SM.


212 UTM 9 WebAdmin



The toggle switch turns amber and the Routing Daemon Settings area becomes edit-

able.


Active PIM-SM Interfaces: Select at least two interfaces to use for PIM-SM. Interfaces

can be configured on the Interfaces tab.

Active PIM-SM RP Ro uters: Select at least one RP router to use for PIM-SM. RP

routers can be defined on the RP Routers tab.

3. Click Apply .

Your settings will be saved. PIM-SM communication is now active in your network.

To cancel the configuration, click the amber colored toggle switch. To disable PIM-SM click thegreen toggle switch.

L ive Log

Click the Open Live Log button to open the PIM live log in a new window.

6.9.2 Interfaces

On the Multicast Routing (PIM-SM) > Interfaces tab you can define over which interfaces of Sophos UTM multicast communication should take place.

To create a new PIM-SM interface, do the following:

1. On the Interfaces tab, click New PIM-SM Interface.

The dialog box Create a New PIM-SM Interface opens.


Name: Enter a descriptive name for PIM-SM interface.

Interface: Select an interface that is to accept PIM and IGMP network traffic.

DR priority (optional): Enter a number that defines the designated router (DR) priority

for the interface. The router with the highest priority honors IGMP requests if more than

one PIM-SM routers are present on the same network segment. Numbersfrom 0 to 232

are possible. If you do not provide a priority, 0 is used by default.

IGMP: Select the version of the Internet Group Management Protocol that is to be sup-

ported. IGMP is used by recipients to establish multicast group memberships.


UTM 9 WebAdmin 213

6 Interfaces & Routing 6.9 Multicast Routing (PIM-SM)




3. Click Save.

The new PIM-SM interface is added to the interfaces list.

To either edit or delete a PIM-SM interface, click the corresponding buttons.

6.9.3 RP Routers

In order to be able to use multicast on your networkyou need to configure one or more ren-

dezvous point routers (RP routers). An RP router accepts registrations both from multicast

receivers and senders. An RP router is a regular PIM-SM router that is chosen to be the RP

router for certain multicast groups as well. All PIM-SM routers must agree on which router is to

be the RP router.

To create an RP router, do the following:

1. On the RP Routers tab, click New Rendezvous Point Router .

The dialog boxCreate a New RP Router opens.


Name: Enter a descriptive name for the RP router.

Host: Create (or select) the host that should act as rendezvous point router.

Priority: Enter a number that defines the priority of the RP router. Join messagesare

sent to the RP router with the lowest priority. Numbers from0 to 255are possible. If you

do not provide a priority, 0 is used by default.

Multicast Group Prefixes: Enter the multicast group the RP router is responsible for.

You can define group prefixes like224.1.1.0/24 if the RP is responsible for more than

one multicast group. The multicast group (prefix) must be within the multicast address

range which is224.0.0.0/4.


3. Click Save.

The new RP router is added to the routers list.

To either edit or delete an RP router, click the corresponding buttons.

6.9.4 Routes

You need to set up a continuous communication route between receivers and sender(s). If

recipient, sender and/or RP router are not within the same network segment, you will need to

214 UTM 9 WebAdmin



create a route to enable communication between them.

To create a PIM-SM route, do the following:

1. On the Routes tab, click New PIM-SM rout e.

The dialog box Create a New PIM-SM Route opens.







l Gateway route: Packets are sent to a particular host (gateway).

Network: Select the destination address range where the PIM traffic is to be routed to.

Gateway: Select the gateway/router to which the gateway will forward data packets

(only available if you selected Gateway Route as route type).

Interface: Select the interface to which the gateway will forward data packets( onlyavail-

able if you selected Interface Route as route type).


3. Click Save.

The new PIM-SM route is added to the routes list.

To either edit or delete a PIM-SM route, click the corresponding buttons.

6.9.5 Advanced

On the Interfaces & Routing > Multicast Routing (PIM-SM) > Advanced tab you can configuresome advanced settings for PIM.

Shortest Path Tree Set t ings

In some networks the PIM communication route between sender, RP, and recipient is not the

shortest network path possible. The option Enable Switch to Shortest Path Tree allows to move

an existing communication between sender and recipient to the shortest path available, omitting

the RP as moderator, when a certain traffic threshold is reached.

UTM 9 WebAdmin 215

6 Interfaces & Routing 6.9 Multicast Routing (PIM-SM)




Auto Fi rewall Sett ings

With this option enabled, the system will automatically create all necessary firewall rules needed

to forward multicast traffic for the specified multicast groups.

Debug Sett ings

Select the option Enable Debug Mode to see additional debugging information in the PIM-SM

routing daemon log.

216 UTM 9 WebAdmin



7 Network ServicesThischapter describes how to configure several network services of Sophos UTM for your net-

work.


l DNS

l DHCP

l NTP

7.1 DNSThe tabsof the Network Services > DNS menu contain miscellaneous configuration options, all

r elatedto the Domain Name System (DNS), a system primarily used to translate domain

names (computer hostnames) to IP addresses.

7.1.1 Global

Allowed Networks

You can specify the networks that are to be allowed to use UTM as a recursive DNS resolver.

Typically, you will select your internalnetworks here.

Caution – It is extremely important not to select an Any network object, because this intro-

duces a serioussecurity riskand opens your appliance up to abuse from the Internet.

Note – If you already run an internal DNS server, for example as part of Active Directory, you

should leave this box empty.

DNSSEC

The Domain Name System Security Extensions(DNSSEC) is a set of extensionsto DNS to

enhance security. It worksby digitallysigning DNS lookup records using public-key cryp-

tography. If unselected, the UTM accepts all DNS records. If selected, the UTM validates incom-



7.1 DNS 7 Network Services

ing DNS requests with regard to DNSSEC signing. Only correctly signed records will be accep-

ted from signed zones.

Note – If selected, DNS records might be rejected by DNSSEC-incapable forwarders that

are manually installed or assigned by ISP. In thiscase, on the Forwarders tab, remove the

DNS forwarders from the boxand/or disable the Use forwarders assigned by ISP checkbox.

Flush Resolver Cache

The DNS proxy uses a cache for its records. Each record has an expiration date (TTL, time-to-

live) at which it will be deleted, which is normally one day. However, you can empty the cache

manually e.g. if you want recent changesin DNS recordsto take effect immediately, not having

to wait for the TTL to expire. To empty the cache, click Flush Resolver Cache Now .

7.1.2 Forwarders

On the Network Services > DNS > Forwarders tab you can specify so-called DNS forwarders. A

DNS forwarder is a Domain Name System (DNS) server on a network used to forward DNS

queries for external DNS names to DNS servers outside of that network. If possible, add a DNS

forwarder to your configuration. Thisshould be a host "near" your site, preferably one provided

by your Internet provider. It will be used as a "parent" cache. This will speed up DNS requests

considerably. If you do not specify a forwarding name server, the root DNS servers will be quer-

ied for zone information first, taking a longer time to complete requests.

To create a DNS forwarder, proceed as follows:

1. Select a DNS forwarder.

Select or add a DNS forwarder. How to add a definition is explained on the Definitions &

Users > Network Definitions > Network Definitions page.

Use F orwarders Assigned By ISP (optional): Select the Use Forwarders

Assigned by ISP checkbox to forward DNS queries to the DNSserversof your

ISP. When this box ischecked, all forwarders automatically assigned by your ISP

willbe listed in the line below the box.

2. Click Apply .


218 UTM 9 WebAdmin



7.1.3 Request Routing

Suppose you run your own internal DNS server, this server could be used as an alternate

server to resolve DNS queries for a domain you do not want to be resolved by DNS forwarders.

On the Network Services > DNS > Request Routing tab you can define routes to your own DNS

servers.

To create a DNS request route, proceed as follows:

1. On the Request Routing tab, click New DNS Request Route.

The Create New DNS Request Route dialog box opens.


Domain: Enter the domain for which you want to use an alternate DNS server.

Target servers: Select or add one or more DNS servers to use for resolving the domain

entered above. How to add a definition is explained on the Definitions & Users > Network

Definitions > Network Definitions page.


3. Click Save.

The new route appearson the DNS Request Route list and is immediately active.

To either edit or delete a DNS request route, click the corresponding buttons.

7.1.4 Static Entries

If you do not want to set up your own DNS server but need a static DNS mapping for a few hosts

of your network, you can enter these mappings.

Starting with UTM version 9.1, this feature hasmoved to the Definitions& Users > Network Definitions tab. DNS mappings are now defined along with the involved hosts.

When you click the Static Entries button, the Definitions & Users > Network Definitions tab

opens. Automatically, only hosts with static entry are displayed. Use the drop-down list on top of

the list to change the filter settings.

7.1.5 DynDNS

Dynamic DNS, or DynDNS for short, isa domain name service which allows static Internet

domain names to be assigned to a computer with a varying IP address. You can sign up for the

UTM 9 WebAdmin 219

7 Network Services 7.1 DNS



7.1 DNS 7 Network Services

DynDNS service at the website of the respective DynDNS service provider to get a DNS alias

that will automatically be updated when your uplink IP address changes. Once you have

registered to thisservice, you will receive a hostname, username, and password, which are

necessary for the configuration.

To configure DynDNS, proceed as follows:

1. On the DynDNS tab, click New DynDNS .

The Create New DynDNS dialog box opens.


Type: The following DynDNS services are available:

l DNSdynamic: Official website: www.dnsdynamic.org

l DNS Park: Official website: www.dnspark.com

l DtDNS: Official website: www.dtdns.com

l DynDNS: Standard DNS service of the service provider Dynamic Network Ser-

vices Inc. (Dyn). Official website: www.dyndns.com

l DynDNS custom:Custom DNS service of the service provider Dynamic Network

Services Inc. (Dyn) (www.dyndns.com). Custom DNS is designed primarily to

work with domains owned or r egistered by yourself.

l easyDNS: Official website: www.easydns.com

l FreeDNS: Official website: freedns.afraid.org

l Namecheap: Official website: www.namecheap.com

l No-IP.com:Official website: www.noip.com

l OpenDNS IP update: Official website: www.opendns.com

l selfHOST: Official website: www.selfhost.de

l STRATO AG:Official website: www.strato.de

l zoneedit: Official website: www.zoneedit.com

Note – In the Server field the URL is displayed to which the UTM sendsthe IP changes.

Assign (not with type FreeDNS): Define the IP address the DynDNS name is to be asso-

ciated with. Selecting IP of Local Interface is useful when the interface in question hasa

public IP address. Typically, you will use this option for your DSL uplink. When you select

220 UTM 9 WebAdmin

http://dnsdynamic.org/


http://www.dnspark.com/

http://www.dtdns.com/

http://www.dyndns.com/


http://www.noip.com/

http://www.zoneedit.com/

http://www.strato.de/

http://www.selfhost.de/

http://www.opendns.com/

http://www.noip.com/

http://www.namecheap.com/

http://freedns.afraid.org/

http://members.easydns.com/



http://www.dtdns.com/

http://www.dnspark.com/




First public IP on the default route no interface needs to be specified. Instead, your UTM

will send a WWW request to a public DynDNS server which in return will respond with the

public IP you are currently using. This is useful when your UTM does not have a public IPaddress but is located inside a private network, connected to the Internet via a mas-

querading router.

Note – FreeDNS always uses the first public IP address on the default route.

Interface (not with type FreeDNS, only with IP of local interface): Select the interface for

which you want to use the DynDNS service, most likely this will be your external interface

connected to the Internet.

Hostname (not with type Open DNS IP update):Enter the domain name you received

from your DynDNS service provider ( e.g., example.dyndns.org). Note that you need

not adhere to a particular syntaxfor the hostname to be entered here. What you must

enter here exclusively depends on what your DynDNS service provider requires. Apart

from that, you can also use your DynDNS hostname as the gateway's main hostname,

which, however, is not mandatory.

Label (only with type Open DNS IP update): Enter the label given to the network. Please

refer to the OpenDNS Knowledgebase for further information.

Aliases (optional, only with some types): Use this box to enter additional hostnames

which should point to the same IP address as the main hostname above (e.g.,

mail.example.com, example.com).

MX (optional, only with type DNS Park , DynDNS, or easyDNS): Mail exchangers are

used for directing mail to specific servers other than the one a hostname pointsto. MX

recordsserve a specific purpose: they let you specify the host (server) to which mail for a

specificdomain should be sent. For example, if you enter mail.example.com asMailExchanger, mail addressed [email protected] would be delivered to the host

mail.example.com.

MX priority (optional, only with type DNS Park ): Enter a positive integer number indic-

ating whether the specified mail server should be preferred for delivery of mail to the

domain. Servers with lower numbers are preferred over servers with higher numbers.

You can usuallyleave the field blankbecause DNS Park uses a default value of 5 which is

appropriate for almost all purposes. For technical details about mailexchanger priorities,

see RFC 5321.

UTM 9 WebAdmin 221

7 Network Services 7.1 DNS

http://tools.ietf.org/html/rfc5321#section-5.1



7.2 DHCP 7 Network Services

Backup MX (optional, only with type DynDNS or easyDNS): Select this checkbox only if

the hostname named in the Hostname text boxis to serve as main mail exchanger. Then

the hostname from the MX text box willonly be advertised as a backup mail exchanger.

Wildcard (optional, only with type DynDNS or easyDNS): Select this option if you want

subdomains to point to the same IP address as your registered domain. Using this option

an asterisk(*) will be added to your domain serving as a wildcard (e.g.,

*.example.dyndns.org), thus making sure that, for example,

www.example.dyndns.org willpoint to the same address asexample.dyndns.org.

Username: Enter the username you received from the DynDNS service provider.

Password: Enter the password you received from the DynDNS service provider.


3. Click Save.

The new DynDNS appearson the DynDNS list. The service is still disabled (toggle switch

isgray).

4. Enable DynDNS.

Click the toggle switch to enable the DynDNS service.

The service isnow enabled (toggle switch is green).

To either edit or delete a DynDNS, click the corresponding buttons.

You can use multiple DynDNS objects at the same time. When all settings for two hostnames

are identical, it is recommended to use the Aliases option—instead of creating two distinct

objects.

7.2 DHCPThe Dynamic Host Configuration Protocol (DHCP) automatically distributesaddresses from a

defined IP address poolto client computers. It is designed to simplify network configuration on

large networks, and to prevent address conflicts. DHCP distributes IP addresses, default gate-

way information, and DNS configuration information to its clients.

In addition to simplifying the configuration of client computers and allowing mobile computers to

move painlessly between networks, DHCP helps to localize and troubleshoot IP address-

related problems, as these are mostly issues with the configuration of the DHCP server itself. It

also allows for a more effective use of address space, especially when not all computers are

222 UTM 9 WebAdmin



active at the same time, as addresses can be distributed as needed and reused when

unneeded.

7.2.1 Servers

The tab Network Services > DHCP > Server allows to configure a DHCP server. Sophos UTM

provides the DHCP service for the connected network as well as for other networks. The DHCP

server can be used to assign basic network parameters to your clients. You can run the DHCP

service on multiple interfaces, with each interface and each network to be provided having its

own configuration set.

Note – On the Options tab you can define additional or different DHCP options to be sent to

the clients. A DHCP option defined on the Options tab overwritesa setting made on the Serv-

ers tab if its scope is not set to be global. For example, defining DHCP optionsfor selected

hosts only, you can assign them a DNS server or lease time different from what is defined for

the DHCP server.

To configure a DHCP server, proceed as follows:

1. On the Servers tab, click New DHCP Server .

The Create New DHCP Server dialog box opens.


Interface: The interface from which the IP addresses should be assigned to the clients.

You can only select an already configured interface.

Address type: This option isonly available when IPv6 is globallyenabled. Select the IP

version of the DHCP server.

Range start/end: The IP range to be used as an address pool on that interface. By

default, the configured address area of the network card will appear in the text boxes. If

the clientsare in the same network, the range must be inside the networkattached to the

interface. If the clients are in another network, the range must be inside the network

where the relayed DHCP requests are forwarded from.

Note – The bigger a defined DHCP IP range, the more memory the UTM will reserve.

Please make sure to reduce the DHCP range size to the values you need. The max-

imum allowed range is a /9 network.

UTM 9 WebAdmin 223

7 Network Services 7.2 DHCP




DNS server 1/2: The IP addresses of the DNS servers.

Default gateway (only with IPv4): The IP address of the default gateway.

Note – Both wireless access pointsand RED appliances need the default gateway to

be within the same subnet as the interface they are connected to.

Domain (optional): Enter the domain name that will be transmitted to the clients (e.g.,

intranet.example.com).

Lease time (only with IPv4): The DHCP client automatically tries to renew its lease. If the

lease is not renewed during its lease time, the IP address lease expires. Here you can

define thistime interval in seconds. The default is 86,400 seconds (one day). The min-

imum is 600 seconds (10 minutes) and the maximum is 2,592,000 seconds (one month).

Valid lifetime (only with IPv6): The DHCP client automatically tries to renew its lease. If

the lease is not renewed during its valid lifetime, the IP address lease status becomes

invalid, the address is removed from the interface, and it may be assigned somewhere

else. You can select an interval between five minutes and infinity, however the valid life-

time must be equal or greater than the preferred lifetime.

Preferred lifetime (only with IPv6): The DHCP client automatically tries to renew itslease. If the lease is not renewed during its preferred lifetime, the IP address lease status

becomes deprecated, i.e., it is still valid but will not be used for new connections. You can

select an interval between 5 minutes and infinity.


WINS node type (only with IPv4): Windows Internet Naming Service (WINS) is

Microsoft's implementation of NetBIOS Name Server (NBNS) on Windows, a name

server and service for NetBIOS computer names. A WINS server acts as a database thatmatches computer names with IP addresses, thusallowing computers using NetBIOS to

take advantage of the TCP/IP network. The following WINS node typesare available:

l Do not set:The WINS node type is not set and will be chosen by the client.

l B-node (no WINS):B-node systems use broadcasts only.

l P-node (WINS only): P-node systemsuse onlypoint-to-point name queries to a

Windows name server (WINS).

224 UTM 9 WebAdmin



l M-node (Broadcast, then WINS): M-node systems broadcast first, then query

the name server.

l H-nod e (WINS, then Broadcast): H-node systems query the name server first,then broadcast.

WINS server: Depending on your WINS node type selection, this text box appears.

Enter the IP address of the WINS server.

Clients with static mappings only (optional): Select this option to have the DHCP

server assign IP addresses only to clients that have a static DHCP mapping (see Defin-

ition & Users > Network Definitions > Network Definitions).

Enable HTTP proxy auto configuration: Select this option if you want to provide aPAC file for automatic proxy configuration of browsers. For more information see

chapter Web Protection > Filtering Options >Misc , section Proxy Auto Configuration.

Note – HTTP proxy auto configuration iscurrently not supported with IPv6 by Microsoft

Windows.

Clients via DHCP relay agent: If selected, the DHCP server assigns IP addresses to

clientswhich are not in the network of the attached interface. In this case, the addressrange defined above has to be inside the network where relayed DHCP requests are for-

warded from, and not within the network of the attached interface.

Netmask: Select the netmask of the network where relayed DHCP requests are

forwarded from.


4. Click Save.

The new DHCP server definition appears on the DHCP server list and is immediately act-ive.

To either edit or delete a DHCP server definition, click the corresponding buttons.

7.2.2 Relay

The Network Services > DHCP > Relay tab allows you to configure a DHCP relay. The DHCP

service is provided by a separate DHCP server and the UTM works as a relay. The DHCP relay

can be used to forward DHCP requests and responses across network segments. You need to

UTM 9 WebAdmin 225





specify the DHCP server and a list of interfaces between which DHCP traffic shall be for-

warded.

To configure a DHCP relay, proceed as follows:

1. On the Relay tab, enable DHCP Relay .


The toggle switch turns amber and the DHCP Relay Configuration area becomes edit-

able.

2. Select the DHCP server.

3. Add the interfaces involved.

Add the interface to the DHCP server as well as all interfaces to the clients' network(s)between which DHCP requests and responses should be forwarded.

4. Click Apply .



7.2.3 Static Mappings

You can create static mappings between client and IP address for some or all clients. Starting

with UTM version 9.1, this feature has moved to the Definitions & Users > Network Definitions

tab. DHCP mappingsare now defined along with the involved hosts.

When you click the Static Mappings button, the Definitions & Users > Network Definitions tab

opens. Automatically, only hosts with static mapping are displayed. Use the drop-down list on

top of the list to change the filter settings.

7.2.4 IPv4 Lease TableUsing DHCP, a client no longer owns an IP address, but rather leasesit from the DHCP server,

which gives permission for a client to use the address for a period of time.

The lease table on the Network Services > DHCP > IPv4 Lease Table tab shows the current

leases issued by the DHCP server, including information about the start date and the date when

the lease will expire.

226 UTM 9 WebAdmin



Add Stat ic Mapping to New Host Defi ni tion

You can use an existing lease as template for a static MAC/IP mapping with a host to be defined.

Do the following:

1. For the desired lease, click the button Make Static in the Make static column.

The dialog window Make Static opens.


Action: Select Create a new host .

Name: Enter a descriptive name for the new host.

DHCP server: Select the DHCP server to be used for static mapping. The cor-

responding DHCP range is displayed below the drop-down list.

IPv4 address: Change the IP address to an address outside the DHCP pool range.

Note – When converting a lease to a static mapping you should change the IP address

so that it is no longer inside the scope of the DHCP pool. However, if you change the IP

address, the address used by the client will not change immediately, but onlywhen it

tries to renew its lease for the next time.

DNS hostname: If you provide a DNShostname, it will be used as static DNSentry of

the host.

Reverse DNS: Select the checkboxto enable the mapping of the host's IP address to its

name. Note that although several names can map to the same IP address, one IP

address can only ever map to one name.


3. Click Save.Your settingswill be saved.

You can find the new host with the static mapping on the Definitions& Users > Network Defin-

itions tab.

Add Stati c Mapping to Exis ting Host Defini ti on

You can use an existing lease as template for a new static MAC/IP mapping with an existing host

definition. Do the following:

UTM 9 WebAdmin 227





1. For the desired lease, click the Make Static button in the Make Static column.


2. Make the following settings:Action: Select Use an existing host .

Host: Add the host by clicking the Folder icon.

3. Click Save.


You can find the host with the static mapping on the Definitions & Users > Network Definitions

tab.

7.2.5 IPv6 Lease Table

Using DHCP, a client no longer owns an IP address, but rather leasesit from the DHCP server,

which gives permission for a client to use the address for a period of time.

The lease table on the Network Services > DHCP > IPv6 Lease Table tab shows the current

leases issued by the DHCP server, including information about the start date and the date when

the lease will expire.

Note – Leases that have been granted via prefix advertisements are not shown in the table.

Add Stat ic Mapping to New Host De finit ion

You can use an existing lease as template for a static MAC/IP mapping with a host to be defined.

Do the following:

1. For the desired lease, click the butt on Make Static .



Action: Select Create a new host .

Name: Enter a descriptive name for the new host.

DHCP server: Select the DHCP server to be used for static mapping. The cor-

responding DHCP range isdisplayed below the drop-down list.

IPv6 address: Change the IP address to an address outside the DHCP pool range.

228 UTM 9 WebAdmin



Note – When converting a lease to a static mapping you should change the IP address

so that it is no longer inside the scope of the DHCP pool. However, if you change the IP

address, the address used by the client will not change immediately, but onlywhen it

tries to renew its lease for the next time.

DNS hostname: If you provide a DNShostname, it will be used as static DNSentry of

the host.

Reverse DNS: Select the checkboxto enable the mapping of the host's IP address to its

name. Note that although several names can map to the same IP address, one IP

address can only ever map to one name.


3. Click Save.


Add Stati c Mapping to Exis ting Host Defini ti on

You can use an existing lease as template for a new static MAC/IP mapping with an existing host

definition. Do the following:

1. For the desired lease, click the Make Static button in the Make Static column.



Action: Select Use an existing host .

Host: Add the host by clicking the Folder icon.

3. Click Save.


You can find the host with the static mapping on the Definitions & Users > Network Definitions

tab.

7.2.6 Options

The Network Services > DHCP > Options tab allows to configure DHCP options. DHCP options

are additionalconfiguration parameters provided by a DHCP server to DHCP clients.

Example: For some VoIP phones, to provide them with the necessary information from your DHCP servers you have to create and activate three additional DHCP optionson this page:

UTM 9 WebAdmin 229





l filename: Name of the boot file.

l next-server : Name of the TFTP server which provides the boot file.

l 4 (time-servers): IP address of the time server.

DHCP options can have different scopes: They can e.g. be provided to selected hosts only, or

from selected servers only, or even globally. For this reason it ispossible to define different para-

meters for the same host. Some DHCP options are already defined on the DHCP > Servers

tab, e.g., DNS server (option 6). In case of conflicting parameter values, the parameters are

provided to the client according to the following priority:

1. DHCP option with scope Host

2. DHCP option with scope MAC prefix

3. DHCP option with scope Vendor ID

4. DHCP option with scope Server

5. DHCP server parameter (DHCP > Servers tab)

6. DHCP option with scope Global

Note – With the DHCP request, a DHCP client submits the information which DHCP options it

can deal with. As a result the DHCP server only provides the DHCP optionsthe client under-

stands, no matter which options are defined here.

To create a DHCP option, proceed as follows:

1. Click New DHCP Option.

The Create New DHCP Option dialog box opens.


Address type (only if IPv6 is enabled): Select the IP version which you create the DHCP

option for.

Code: Select the code of the DHCP option you want to create.

Note – With the entry filename you can specify a file to be loaded into the DHCP client

to be executed there. With next-server you define the boot server. The numbered

DHCP option codes are defined in RFC 2132 and others.

Name: Enter a descriptive name for thisoption.

230 UTM 9 WebAdmin

http://www.ietf.org/rfc/rfc2132.txt



Type: Only available if you selected a code with the comment (unknown). Select the data

type of the option. The data types IP Address, Text and Hex are available. Depending on

the selected data type enter the appropriate data in the corresponding field below:

Address: Add or select the host or network group with the IP address(es) to be

submitted with this DHCP option to the DHCP client. How to add a definition is

explained on the Definitions & Users > Network Definitions > Network Definitions

page.

Text: Enter the text to be submitted with this DHCP option to the DHCP client.

Hex: Enter the hexadecimalvalue to be submitted with this DHCP option to the

DHCP client. Please note that you have to enter the groups of two hexadecimaldigits separated by colons (e.g.,00:04:76:16:EA:62).

Integer: Enter the integer value to be submitted with this DHCP option to the

DHCP client.

Scope: Define on which condition the DHCP option should be sent.

l Global: The DHCP option will be sent by all defined DHCP servers to all

DHCP clients.

l Server: In the Server box, select the DHCP servers which should send theDHCP option. The boxdisplays all DHCP servers defined on the DHCP Servers

tab.

l Host: In the Host box, add or select the hosts which should be provided the

DHCP option. How to add a definition is explained on the Definitions& Users > Net-

work Definitions > Network Definitions page.

l MAC prefix: Enter a MAC prefix. All DHCP clients with a matching MAC address

will be provided the DHCP option.

l Vendor ID: Enter a vendor ID or the prefix of a vendor ID. All DHCP clients which

match this string will be provided the DHCP option.


3. Click Save.

The new DHCP option appearson the DHCP Options list and is immediately active.

To either edit or delete a DHCP option, click the corresponding buttons.

UTM 9 WebAdmin 231




7.3 NTP 7 Network Services

7.3 NTPThe menu Network Services > NTP allows you to configure an NTP server for the connected

networks. The Network Time Protocol (NTP) is a protocol used for synchronizing the clocks of

computer systems over IP networks. Instead of just synchronizing the time of Sophos UTM,

which can be configured on the Management > System Settings > Time and Date tab, you can

explicitlyallow certain networks to use this service as well.

To enable the use of NTP time synchronization for specific networks, proceed as follows:

1. Enable the NTP server.Click the toggle switch.

2. Select Allowed networks.

Add or select the networks that should be allowed to access the NTP server. How to add

a definition is explained on the Definitions & Users > Network Definitions> Network Defin-

itions page.

3. Click Apply .


232 UTM 9 WebAdmin



8 Network ProtectionThischapter describes how to configure basicnetwork protection features of Sophos UTM.

The Network Protection Statistics page in WebAdmin shows an overview of intrusion pre-

vention events and dropped data packetsfor both source and destination hosts. Each of the sec-

tions contains a Details link. Clicking the link redirects you to the respective reporting section of

WebAdmin, where you can find more statistical information.

Note – You can directly add a Network/Host Exception or a Threat Exception by clicking the

Plus icon in the Advanced Threat Protection: Recent Events list.


l Firewall

l NAT (Network Address Translation)

l Advanced Threat Protection

l Intrusion Prevention

l Server Load Balancing

l VoIP (Voice over IP)

l Advanced Settings

8.1 FirewallThe menu Net work Protection > Firewall allows you to define and manage firewall rules of the

gateway. Generally speaking, the firewall is the central part of the gateway which functionsin a

networked environment to prevent some communications forbidden by the securitypolicy. The

default security policy of Sophos UTM states that all network traffic is to be blocked and logged,

except for automatically generated rule sets that are necessary for other software components

of the gateway to work. However, those auto-generated rule sets are not shown on the Firewall

> Rules tab. This policyrequires you to define explicitly which data traffic is allowed to pass the

gateway.



8.1 Firewall 8 Network Protection

8.1.1 Rules

On the Network Protection > Firewall > Rules tab you can manage the firewall rule set. Opening

the tab, by default, user-created firewall rules are displayed only. Using the drop-down list on

top of the list, you can choose to display automatic firewall rules instead, or both typesof rules

combined. Automaticfirewall rules are displayed with a distinct background color. Automaticfire-

wall rules are generated by UTM based on a selected Automatic firewall rules checkbox in one

of your configurations, e.g., when creating IPsec or SSL connections.

All newly defined firewall rules are disabled by default once added to the rules table. Automatic

firewall rules and enabled user-created firewall rules are applied in the given order untilthe firstrule matches. Automatic firewallrules are always on top of the list. The processing order of the

user-created firewall rules is determined by the position number, so if you change the order of

the rules by their position numbers, the processing order changes as well.

Caution – Once a firewall rule matched, all other rules are ignored. For that reason, the

sequence of rules is very important. Never place a rule such as Any (Source) – Any (Service)

– Any (Destination) – Allow (Action) at the top of the rule table, as this will allow each packet to

traverse the gateway in both directions, ignoring all other rules that may follow.

To create a firewallrule, proceed as follows:

1. On the Rules tab, click New Rule.

The Create New Rule dialog box opens.


Group: The Group option is useful to group rules logically. With the drop-down list on top

of the list you can filter the rules by their group. Grouping is only used for display pur-

poses, it does not affect rule matching. To create a new group select the <<New group>> entry and enter a descriptive name in the Name field.



with a higher number will not be evaluated anymore.

Sources: Add or select source network definitions, describing from which host(s) or net-

works the packets are originating.

234 UTM 9 WebAdmin





Services: Add or select service definitions, describing the protocol(s) and, in case of

TCP or UDP, the source and destination port(s) of the packets.

Destinations: Add or select destination network definitions, describing the target host

(s) or network(s) of the packets.

Note – When you select more than one source, service and/or destination, the rule

applies to every possible source-service-destination combination. A rule with e.g. twosources, two services and two destinations equates to eight single rules, from each

source to each destination using both services.

Action: The action that describes what to do with traffic that matches the rule. The fol-

lowing actions can be selected:

l Allow: The connection is allowed and traffic is forwarded.

l Drop: Packets matching a rule with this action will be silently dropped.

l Reject: Connection requests matching rules with this action will be activelyrejec-

ted. The sender will be informed via an ICMP message.



Time period: Bydefault, no time period definition is selected, meaning that the rule is

always valid. If you select a time period definition, the rule willonly be valid at the time spe-

cified by the time period definition. For more information, see Time Period Definitions.

Log traffic: If you select thisoption, logging is enabled and packetsmatching the rule

are logged in the firewall log.

Source MAC addresses: Select a MAC address list definition, describing from which

MAC addresses the packets are originating. If selected, packets only match the rule if

their source MAC address is listed in this definition. Note that you cannot use a MAC

address list in combination with the source Any . MAC address list definitions are defined

on the Definitions & Users > Network Definitions > MAC AddressDefinitions tab.

UTM 9 WebAdmin 235

8 Network Protection 8.1 Firewall




4. Click Save.

The new rule appearson the Rules list.

5. Enable the firewall rule.The new rule is disabled by default (toggle switch is gray). Click the toggle switch to

enable the rule.



Open Live Log: This willopen a pop-up window containing a real-time log of filtered packets,

whose regularly updating display shows recent network activity. The background color indicates

which action has been applied:

l Red: The packet was dropped.

l Yellow: The packet was rejected.

l Green: The packet was allowed.

l Gray: The action could not be determined.

The live log also contains information about which firewall rule caused a packet to be rejected.

Such information is essential for rule debugging. Using the search function, you can filter the fire-

wall log for specific entries. The search function even allows to negate expressions by typing a

dash in front of the expression, e.g. -WebAdminwhich will successively hide all lines containing

this expression.

Selecting the Autoscroll checkboxwill automatically scroll down the window's scrollbar to always

show the most recent results.

Below are some basic hints for configuring the firewall:

l Dropped Broadcasts: By default, all broadcasts are dropped, which in addition will not

be logged (for more information, see Advanced). This is useful for networks with many

computers utilizing NetBIOS (for example, Microsoft Windows operating systems),

because broadcasts will rapidly clutter up your firewall log file. To define a broadcast drop

rule manually, group the definitions of the broadcast addresses of all attached networks,

add another "global_broadcast" definition of 255.255.255.255/255.255.255.255 ,

then add a rule to drop all traffic to these addresses on top of your firewall configuration.

On broadcast-heavy networks, this also has the benefit of increasing the system per-

formance.

236 UTM 9 WebAdmin



l Rejecting IDENT Traffic: If you do not want to use the IDENT reverse proxy, you can

activelyreject traffic to port113 (IDENT) of your internal networks. Thismay prevent

longer timeoutson services that use IDENT, such as FTP, IRC, and SMTP.

Note – If you use masquerading, IDENT requests for masqueraded networks will

arrive on the masquerading interface.

l Since NAT will change the addresses of network packets, it has implications on the fire-

wall functionality.

l DNAT is appliedbefore the firewall. This means that the firewall will "see" the

already translated packets. You must take this into account when adding rules for

DNAT related services.

l SNAT and Masquerading is applied after the firewall. This means that the firewall

still "sees" the untranslated packets with the original source addresses.

The control panels in the table header can be used to filter firewall rules for specific criteria to

rearrange rules for better readability. If you have defined groups you can select a group from

the drop-down menu and thus see all rules that belong to this group. Using the search field you

can look for a keyword or just a string to see the rules related to it. The search comprises a rule's

source, destination, service, group name, and comment.

8.1.2 Country Blocking

On the Network Protection > Firewall > Country Blocking tab you can enable blocking of traffic

coming from or going to a certain country or location. You can either block single coun-

tries/locations or whole continents. The blocking is based on the GeoIP information of the host's

IP address.

To enable country blocking, proceed as follows:

1. Enable country blocking.


The toggle switch turns amber and the Countries section becomes editable.

2. Select the locations to block.

Via the drop-down lists in front of the location names, specify the blocking status for the

respective location:

UTM 9 WebAdmin 237





l All: All traffic coming from or going to this location is blocked.

l From: Traffic coming from this location is blocked.

l To: Traffic going to this location isblocked.

l Off: Traffic from as well as to this location is allowed.

Tip – You can easily select an identical blocking status for all locations of a region. To do

so, select the desired blocking status in the drop-down list in front of the respective

region name.

3. Click Apply .

Your settings will be saved. Traffic from and/or to selected locations will be blocked now

according to your settings. Note that you can define exceptions for the blocked locations

on the Country Blocking Exceptions tab.

Tip – Each section of this page can be collapsed and expanded by clicking the Collapse icon

on the right of the section header.

8.1.3 Country Blocking ExceptionsOn the Network Protection > Firewall > Country Blocking Exceptions tab you can define excep-

tionsfor countries that are blocked on the Country Blocking tab. Exceptionscan be made for

traffic between a blocked country/location and specific hosts or networks, taking into account

the direction and the service of the traffic.

To create a country blocking exception, proceed as follows:

1. Click New Exception List .

The Create Exception dialog box opens.


Name: Enter a descriptive name for the exception.


Skip blocking of these:

l Region: Using this drop-down list, you can narrow down the countries displayed

in the Countries box.

238 UTM 9 WebAdmin



l Countries: Select the checkboxes in front of the locationsor countries you want to

make the exception for. To select all countries at once, enable the Select all check-

box.

Note – To select all IP addresses, including those that are not associated with

any country, for example internal IP addresses, deselect all checkboxes using

the Deselect all checkbox.

For all requests: Select the condition under which the country blocking should be

skipped. You can choose between outgoing and incoming traffic, referring to the host-

s/networks to be selected in the boxbelow.

l Hosts/networks: Add or select the hosts/networks that should be allowed to

send traffic to or receive trafficfrom the selected countries—depending on the

entry selected in the drop-down list above. How to add a definition is explained on


Using these services: Optionally, add the services that should be allowed between the

selected hosts/networks and the selected countries/locations. If no service is selected, all

services are allowed.

3. Click Save.

The new country blocking exception appears on the Country Blocking Exception list.

To either edit or delete an exception, click the corresponding buttons.

Using Country Blocking Exceptions

Use the country blocking exceptions as follows:

Interface/remote

host

Requests Host/network Countries

Local interface Coming from Enter a local interface

address

Choose countries to

skip

Local interface Going to Enter a local interface

address

Choose countries to

skip

Remote host (internal

network) Coming from

Enter an internal

host/network

Choose countries to

skip

UTM 9 WebAdmin 239





Interface/remote

host

Requests Host/network Countries

Remote host (externalnetwork)

Coming from Enter an externalhost Do not choose coun-tries

Remote host (internal

network) Going to

Enter an internal

host/network

Choose countries to

skip

Remote host (external

network) Going to Enter an external h ost

Do not choose coun-

tries

8.1.4 ICMPOn the Network Protection > Firewall > ICMP tab you can configure the settingsfor the Internet

ControlMessage Protocol (ICMP). ICMP isused to exchange connection-related statusinform-

ation between hosts. ICMP is important for testing network connectivity or troubleshooting net-

work problems.

Allowing any ICMP traffic on this tab will override ICMP settings being made in the firewall. If you

onlywant to allow ICMP for certain hosts or networks, you should use the Firewall > Rules tab

instead.

Global ICMP Sett ings

The following globalICMP options are available:

l Allow ICMP On Gateway:This option enables the gateway to respond to ICMP pack-

ets of any kind.

l Allow ICMP Through Gateway: This option enables the forwarding of ICMP packets

through the gateway if the packets originate from an internal network, i.e., a network

without default gateway.

l Log ICMP Redirects: ICMP redirects are sent from one router to another to find a bet-

ter route for a packet's destination. Routers then change their routing tables and forward

the packet to the same destination via the supposedly better route. If you select this

option, all ICMP redirects received by the gateway will be logged in the firewall log.

Note – If enabled, the ICMP settings apply to all ICMP packets, including ping and

traceroute—if sent via ICMP—, even if the corresponding ping and traceroute settings are dis-

abled.

240 UTM 9 WebAdmin



Ping Settings

The program ping isa computer network toolused to test whether a particular host isreachable

across an IP network. Ping works by sending ICMP echo request packets to the target host and

listening for ICMP echo response replies. Using interval timing and response rate, ping estim-

ates the round-trip time and packet loss rate between hosts.

The following ping options are available:

l Gateway is Ping Visible: The gateway responds to ICMP echo request packets. This

feature is enabled by default.

l Ping From Gateway: You can use the ping command on the gateway. This feature is

enabled by default.

l Gateway Forwards Pings: The gateway forwardsICMP echo request and echo

response packets originating from an internalnetwork, i.e., a network without default

gateway.

Note – If enabled, the ping settingsalso allow traceroute ICMP packets, even if the cor-

responding traceroute settings are disabled.

Traceroute Settings

The program traceroute is a computer network tool used to determine the route taken by pack-

etsacrossan IP network. It lists the IP addresses of the routers that were involved in trans-

porting the packet. If the packet's route cannot be determined within a certain time frame,

traceroute will report an asterisk(*) instead of the IP address. After a certain number of failures,

the check will end. An interruption of the check can have many causes, but most likely it is

caused by a firewall along the network path that blockstraceroute packets.

The following traceroute options are available:

l Gateway is Traceroute Visible: The gateway respondsto traceroute packets.

l Gateway Forwards Traceroute: The gateway forwards traceroute packets originating

from an internal network, i.e., a network without default gateway.

Note – In addition, the UDP ports for UNIX traceroute applicationsare opened, too.

Note – If enabled, the traceroute settings also allow ping packets, even if the corresponding

ping settings are disabled.

UTM 9 WebAdmin 241





8.1.5 Advanced

The Network Protection > Firewall > Advanced tab contains advanced settings for the firewall

and the NAT rules.

Connect ion Tracking Helpers

So-called connection tracking helpers enable protocols that use multiple network connections to

work with firewall or NAT rules. All connectionshandled by the firewall are tracked by the con-

ntrack kernel module, a process better known as connection tracking . Some protocols such as

FTP and IRC require several ports to be opened, and hence require special connection track-

ing helperssupporting them to operate correctly. These helpers are special kernelmodules that

help identify additional connections by marking them as being related to the initial connection,

usuallyby reading the related addresses out of the data stream.

For example, for FTP connections to work properly, the FTP conntrack helper must be selec-

ted. This isdue to the specificsof the FTP protocol, which first establishesa single connection

that is called the FTP control connection. When commands are issued through this connection,

other ports are opened to carry the rest of the data (e.g., downloads or uploads) related to that

specific command. The problem is that the gateway will not know about these extra ports, since

they were negotiated dynamically. Therefore, the gateway will be unable to know that it should

let the server connect to the client over these specificports (active FTP connections) or to let cli-

ents on the Internet connect to the FTP server (passive FTP connections).

Thisis where the FTP conntrack helper becomes effective. This special helper is added to the

connection tracking module and will scan the control connection (usuallyon port 21) for specific

information. When it runs into the correct information, it will add that specific information to a list

of expected connectionsas being related to the control connection. This in return enables the

gateway to track both the initial FTP connection as well as all related connections properly.

Connection tracking helpers are available for the following protocols:

l FTP

l IRC (for DCC)

l PPTP

l TFTP

242 UTM 9 WebAdmin



Note – The PPTP helper module needs to be loaded if you want to offer PPTP VPN services

on the gateway. Otherwise PPTP sessions cannot be established. The reason for this is that

PPTP first establishesa TCP port 1723 connection before switching to Generic Routing

Encapsulation (GRE) communication, which is a separate IP protocol. If the PPTP helper mod-

ule is not loaded, all GRE packets will be blocked by the gateway. Alternatively, if you do not

want to use the PPTP helper module, you can manually add firewall rules allowing GRE pack-

ets for incoming and outgoing traffic.

Protocol Handling

Enable TCP window scaling: The TCP receive window (RWin) size is the amount of

received data (in bytes) that can be buffered during a connection. The sending host can send

only that amount of data before it must wait for an acknowledgment and window update from

the receiving host. For more efficient use of high bandwidth networks, a larger TCP window

size may be used. However, the TCP window size field controls the flow of data and is limited to

2 bytes, or a window size of 65535 bytes. Since the size field cannot be expanded, a scaling

factor is used. TCP window scaling is a kernel option of the TCP/IP stack and can be used to

increase the maximum window size from 65535 bytes to 1 Gigabyte. Window scaling is enabled

by default. However, since some network devices such as routers, load balancers, gateways,

and so on still do not fully support window scaling, depending on your environment it might be

necessary to turn it off.

Use strict TCP session handling: By default, the system can "pick up" existing TCP con-

nections that are not currently handled in the connection tracking table due to a network facility

reset. This means that interactive sessionssuch as SSH and Telnet will not quit when a network

interface istemporarily unavailable. Once this option is enabled, a new three-way handshake

will always be necessary to re-establish such sessions. Additionally, this option does not allow

the TCP connection methods simultaneous open or TCP split handshakes. It isgenerally recom-

mended to leave this option turned off.

Validate packet length: If enabled, the firewall will check the data packets for minimal length if

the ICMP, TCP, or UDP protocol is used. If the data packets are smaller than the minimal val-

ues, they will be blocked and a record will be written to the firewall log.

Spoof protection: By default, spoof protection is disabled. You can choose between the fol-

lowing settings:

l Normal: The gateway will drop and log packets which either have the same source IP

address as the interface itself or which arrive on an interface which hasa source IP of a

UTM 9 WebAdmin 243




8.2 NAT 8 Network Protection

network assigned to another of its interfaces.

l Strict: The gateway will also drop and log all packetswhich have a destination IP for an

interface but arriving on an interface other than assigned, that is, if it arrives on an inter-

face for which it is not destined. For example, those packetswill be dropped that were

sent from an externalnetwork to the IP address of the internal interface which is sup-

posed to accept packetsfrom the internal network only.

Logging Options

Log FTP data connections: The UTM willlog the FTP data connectionsof (file and directory

listings). The log recordsare marked by the string "FTP data".

Log unique DNS requests: The UTM will log all outgoing requeststo DNS serversas well as

their outcome. The log recordsare marked by the string "DNS request".

Log dropped broadcasts: By default, the firewall drops all broadcasts, which in addition will

not be logged. However, if you need broadcasts to be logged in the firewall log, for example, for

audit purposes, select this option.

8.2 NATThe menu Network Protection > NAT allows you to define and manage NAT rules of the gate-

way. Network Address Translation (NAT) is the process of rewriting the source and/or des-

tination addresses of IP packets as theypass through a router or gateway. Most systems using

NAT do so in order to enable multiple hosts on a private network to access the Internet using a

single public IP address. When a client sends an IP packet to the router, NAT translates the

sending address to a different, public IP address before forwarding the packet to the Internet.

When a response packet isreceived, NAT translates the publicaddress into the original

address and forwards it to the client. Depending on system resources, NAT can handle arbit-

rarily large internal networks.

8.2.1 Masquerading

Masquerading is a special case of Source Network Address Translation (SNAT) and allows you

to masquerade an internalnetwork (typically, your LAN with private address space) behind a

single, official IP address on a network interface (typically, your external interface connected to

the Internet). SNAT is more generic as it allows to map multiple source addresses to several

destination addresses.

244 UTM 9 WebAdmin



Note – The source address is only translated if the packet leaves the gateway system via the

specified interface. Note further that the new source address is always the current IP address

of that interface (meaning that thisaddress can be dynamic).

To create a masquerading rule, proceed as follows:

1. On the Masquerading tab, click New Masquerading Rule.

The Create New Masquerading Rule dialog box opens.


Network: Select the (internal) network you want to masquerade.




Interface: Select the (external) interface that is connected to the Internet.

Use Ad dress: If the interface you selected has more than one IP address assigned (see

Interfaces & Routing > Interfaces > Additional Addresses), you can define here which IP

address isto be used for masquerading.


3. Click Save.

The new masquerading rule appears on the Masquerading rule list.

4. Enable the masquerading rule.

Click the toggle switch to activate the masquerading rule.


Note – You need to allow traffic from the internal networkto the Internet in the firewall if you

want your clients to access externalservers.

IPsec packets are never affected by masquerading rules. To translate the source address of

IPsec packets create an SNAT or Full NAT rule.

8.2.2 NAT

Destination Network AddressTranslation (DNAT) and Source Network AddressTranslation

(SNAT) are both special cases of NAT. With SNAT, the IP address of the computer which

UTM 9 WebAdmin 245

8 Network Protection 8.2 NAT




initiated the connection is rewritten, while with its counterpart DNAT, the destination addresses

of data packets are rewritten. DNAT is especially usefulwhen an internalnetwork uses private

IP addresses, but an administrator wants to make some services available to the outside.

Thisis best demonstrated with an example. Suppose your internalnetwork uses the address

space 192.168.0.0/255.255.255.0 and a webserver running at IP address192.168.0.20

port 80should be available to Internet-based clients. Because the192.168. address space is

private, the Internet-based clients cannot send packets directlyto the webserver. It is, however,

possible for them to communicate with the external (public) address of the UTM. DNAT can, in

this case, take packets addressed to port80of the system’s address and forward them to the

internal webserver.

Note – PPTP VPN Accessis incompatible with DNAT.

In contrast to masquerading, which always maps to the primarynetwork interface address,

SNAT maps the source address to the address specified in the SNAT r ule.

1:1 NAT isa special case of DNAT or SNAT. In this case all addresses of an entire network are

being translated one-to-one into the addresses of another network having the same netmask.

So the first address of the originalnetwork will be translated into the first address of the other

network, the second into the second and so on. A 1:1 NAT rule can be applied to either thesource or the destination address.

Note – By default, port443 (HTTPS) is used for the User Portal. If you plan to forward port

443 to an internalserver, you need to change the TCP port of the User Portal to another value

(e.g., 1443) on the Management > User Portal > Advanced tab.

Because DNAT isdone before firewalling, you must ensure that appropriate firewall rules are

defined. For more information, see Network Protection > Firewall > Rules.

To define a NAT rule, proceed as follows:

1. On the NAT tab, click New NAT Rule.

The Create New NAT Rule dialog box opens.




246 UTM 9 WebAdmin



poses, it does not affect rule matching. To create a new group select the <<New group

>> entry and enter a descriptive name in the Name field.




Rule type: Select the network address translation mode. Depending on your selection,

various options will be displayed. The following modes are available:

l SNAT (source): Maps the source address of defined IP packetsto one new

source address. The service can be changed, too.

l DNAT (destination): Maps the destination address of defined IP packetsto onenew destination address. The service can be changed, too.

l 1:1 NAT (whole networks):Maps IP addresses of a network to another net-

work one-to-one. The rule applies either for the source or for the destination

address of the defined IP packets.

l Full NAT (source + destination): Maps both the source address and the des-

tination address of defined IP packets to one new source and one new destination

address. The source service and the target service can be changed, too.

l No NAT: This option can be regarded as a kind of exception rule. For example, if

you have a NAT rule for a defined networkyou can create a No NAT rule for cer-

tain hosts inside this network. Those hosts will then be exempted from NAT.

Matching Condition: Add or select the source and destination network/host and the

service for which you want to translate addresses. How to add a definition is explained on


l For traffic from: The original source address of the packets. This can be either a

single host or an entire network, or, except for the 1:1 NAT rule type, a networkrange.

l Using service: The originalservice type of the packets( consisting of source and

destination ports as well as a protocol type).

Note – A traffic service can only be translated when the corresponding

addresses are translated as well. In addition, a service can only be translated to

another service when the two services use the same protocol.

UTM 9 WebAdmin 247

8 Network Protection 8.2 NAT




l Going to: The originaldestination address of the packets. This can be either a

single host or an entire network. With SNAT and No NAT , it can also be a network

range.

Action: Add or select the source and/or destination and/or the service type into which

you want to translate the originalIP packet data. The displayed parameters depend on

the selected Rule type. How to add a definition is explained on the Definitions & Users >

Network Definitions > Network Definitions page.

l Change the source to (only with SNAT or FullNAT mode): Select the source

host, that is, the new source address of the packets.

l Change the destination to (only with DNAT or Full NAT mode): Select the des-

tination host, that is, the new destination address of the packets.

l And the service to (only with DNAT , SNAT or FullNAT mode): Select the new

service of the packets. Depending on the selected Rule type this can be the source

and/or destination service.

l 1:1 NAT mode (only with 1:1 NAT mode): Select one of the following modes:

l Map Destination: Changes the destination address.

l Map Source: Changes the source address.

Note – You need to add an entire networkinto the field For traffic from when you

want to map the source, or into the field Going to when you want to map the des-

tination.

l Map to (only with 1:1 NAT mode): Select the network you want to translate the ori-

ginalIP addresses into. Please note that the originalnetwork and the translated

network must have the same netmask.

Automatic firewall rule (optional): Select this option to automatically generate firewall

rules to allow the corresponding traffic passing through the firewall.



Rule applies to IPsec packets (only with SNAT or Full NAT mode): Select this option

if you want to apply the rule to traffic which is going to be processed byIPsec. By default

this option is not selected, thusIPsec traffic is excluded from source network address

translation.

248 UTM 9 WebAdmin



Log initial packets (optional): Select this option if you want to write the initializing

packet of a communication to the firewall log. Whenever the NAT rule is used, you will

then find a message in the firewall log saying "Connection using NAT". This option worksfor stateful as well as stateless protocols.

4. Click Save.

The new rule appearson the NAT list.

5. Enable the NAT rule.


enable the rule.


8.3 Advanced Threat ProtectionOn the menu Network Protection > Advanced Threat Protection you can enable and configure

the Advanced Threat Protection feature to rapidly detect infected or compromised clients inside

your network, and raise an alert or drop the respective traffic. Advanced Threat Protection aims

at typical challenges in current corporate networks: on the one hand management of a mobile

workforce with an increasing number of different mobile devices (BYOD), and on the other hand malware evolution and distribution methods getting faster and faster. The Advanced

Threat Protection analyzes network traffic, e.g., DNS requests, HTTP requests, or IP packets

in general, coming from and going to all networks. It also incorporates Intrusion Prevention and

Antivirus data if the respective features are activated. The database used to identify threats is

updated constantly by a CnC/Botnet data feed from Sophos Labs through pattern updates.

Based on this data, infected hosts and their communication with command-and-control(CnC)

servers can quickly be identified and dealt with.

8.3.1 Global

On the Advanced Thr eat Protection > Global tab, you can activate the Advanced Threat Pro-

tection System of Sophos UTM.

To enable Advanced Threat Protection, proceed as follows:

1. Enable the Advanced Threat Protection system.


UTM 9 WebAdmin 249

8 Network Protection 8.3 Advanced Threat Protection



8.4 Intrusion Prevention 8 Network Protection

The toggle switch turns amber and the Global Settings area becomeseditable.


Policy: Select the securitypolicy that the Advanced Threat Protection system should useif a threat hasbeen detected.

l Drop: The data packet will be logged and dropped.

l Alert: The data packet will be logged.

Network/host exceptions: Add or select the source networks or hosts that should be

exempt from being scanned for threats by Advanced Threat Protection. How to add a

definition isexplained on the Definitions& Users > Network Definitions > Network Defin-

itions page.

Threat exceptions: Add destination IP addresses or domain names that you want to

skip from being scanned for threats by Advanced Threat Protection. This isthe place

where you would add false positives to prevent them from being detected as threat.

Examples: 8.8.8.8or google.com.

Caution – Be careful with specifying exceptions. By excluding sources or destinations

you may expose your network to severe risks.

3. Click Apply .


If enabled, and a threat is detected, it will be listed on the Network Protection page. A notification

will be sent to the administrator if enabled on the Management > Notifications > Notifications

page. The notification is set by default for drop and alert.

L ive Log

The Advanced Threat Protection live log can be used to monitor the detected threats. Click the

button to open the live log in a new window.

Note – IPS and Web Proxy threats will not be displayed in the Live Log .

8.4 Intrusion PreventionOn the menu Network Protection > Intrusion Prevention you can define and manage IPS rules

of the gateway. The Intrusion Prevention system (IPS) recognizes attacks by means of a

250 UTM 9 WebAdmin



signature-based IPS rule set. The system analyzes the complete traffic and automatically blocks

attacksbefore they can reach the network. The existing rule set and attack patterns are

updated through the pattern updates. New IPS attack pattern signatures are automatically

imported to the rule set as IPS rules.

8.4.1 Global

On the Network Protection > Intrusion Prevention > Global tab you can activate the Intrusion

Prevention System (IPS) of Sophos UTM.

To enable IPS, proceed as follows:

1. Enable the intrusion prevention system.Click the toggle switch.

The toggle switch turns amber and the Global IPS Settings area becomes editable.


Local networks: Add or select the networks that should be protected by the intrusion

prevention system. If no local network isselected, intrusion prevention will automatically

be deactivated and no traffic is monitored. How to add a definition isexplained on the


Policy: Select the securitypolicy that the intrusion prevention system should use if a

blocking rule detects an IPS attack signature.

l Drop silently: The data packet will be dropped without any further action.

l Terminate connection: A terminating data packet (RST for TCP andICMP Port

Unreachable for UDP connections) willbe sent to both communication partners to

close the connection.

Note – By default, Drop silently is selected. There is usually no need to change this,

especially as terminating data packetscan be used by an alleged intruder to draw con-

clusions about the gateway.

3. Click Apply .


L ive Log

The intrusion prevention live log can be used to monitor the selected IPS rules. Clickthe buttonto open the live log in a new window.

UTM 9 WebAdmin 251

8 Network Protection 8.4 Intrusion Prevention




8.4.2 Attack Patterns

The Network Protection > Intrusion Prevention > Attack Patterns tab contains IPS rules

grouped according to common attackpatterns. Attack patterns have been combined as follows:

l Operating System Specific Attacks: Attacks trying to exploit operating system

related weaknesses.

l Attacks Against Servers: Attacks targeted at all sorts of servers (for example, web-

servers, mail servers, and so on).

l Attacks Against Client Software: Attacks aimed at client software such as web

browsers, mutimedia players, and so on.

l Proto col Anomaly: Attack patterns look out for network anomalies.

l Malware: Software designed to infiltrate or damage a computer system without the

owner's informed consent (for example, trojans, DoS communication tools, and the like).

To improve performance, you should clear the checkboxes that do not apply to services or soft-

ware employed in your local networks. For example, if you do not operate a webserver in your

local network, you can cancel the selection for HTTP Servers.

For each group, the following settings are available:

Action: By default, each rule in a group hasan action associated with it. You can choose

between the following actions:

l Drop: The default setting. If an alleged attack attempt has been determined, the causing

data packets will be dropped.

l Alert: Unlike the Drop setting, critical data packets are allowed to pass the gateway but

willcreate an alert message in the IPS log.

Note – To change the settings for individual IPS rules, use the Modified Rules box on the Intru-

sion Prevention > Advanced tab. A detailed list of IPS rules used in Sophos UTM 9 isavailable

at the UTM website.

Rule Age: By default, IPS patterns are restricted to those dating from the last 12 months.

Depending on individualfactors like overall patch level, legacy systems, or other securityrequire-

ments, you can select another time span. Selecting a shorter time span will reduce the number

of rules and thus improve performance.

252 UTM 9 WebAdmin

http://www.astaro.com/lists/ASGV9-IPS-rules-2931.html



Add extra warnings: When this option isselected, each group will include additional rules

increasing the IPS detection rate. Note that these rules are more general and vague than the

explicit attack patterns and will therefore likelyproduce more alerts. For that reason, the default

action for these rules is Alert , which cannot be configured.

Notify: When this option isselected, a notification issent to the administrator for every IPS

event matching thisgroup. Note that this option only takes effect if you have enabled the noti-

fication feature for the intrusion prevention system on the Management > Notifications > Noti-

fications tab. In addition, what type of notification (i.e., email or SNMP trap) is to be sent

depends on the settingsmade there. Note further that it might take up to five minutes before

changes of the notification settings will become effective.

8.4.3 Anti-DoS/Flooding

On the Anti-DoS/Flooding tab you can configure certain options aimed at defending Denial of

Service (DoS) and Distributed Denial of Service (DDoS) attacks.

Generallyspeaking, DoS and DDoS attacks try to make a computer resource unavailable for

legitimate requests. In the simplest case, the attacker overloads the server with useless packets

in order to overload its performance. Since a large bandwidth is required for such attacks, more

and more attackers start using so-called SYN flood attacks, which do not aim at overloading thebandwidth, but at blocking the system resources. For this purpose, theysend so-called SYN

packetsto the TCP port of the service often with a forged sender address, thus causing the

server to spawn a half-open connection by sending back a TCP/SYN-ACK packet, and waiting

for an TCP/ACK packet in response from the sender address. However, because the sender

address isforged, the response never comes. These half-open connections saturate the num-

ber of available connections the server is able to make, keeping it from responding to legitimate

requests.

Such attacks, however, can be prevented by limiting the amount of SYN (TCP), UDP, andICMP packetsbeing sent into your network over a certain period of time.

TCP SYN Flood Pro tect ion

To enable SYN (TCP) flood protection, proceed as follows:

1. On the Anti-DoS/Flooding tab, select the checkbox Use TCP SYN Flood Pro-

tection.


Mode: The following modes are available:

UTM 9 WebAdmin 253





l Source and destination addresses:Select this option if you want to drop SYN

packets by both their source and destination IP address. First, SYN packets match-

ing the source IP address are restricted to the source packet rate value specified

below. Second, if there are still too manyrequests, theywill additionally be filtered

according to their destination IP address and restricted to the destination packet

rate value specified below. This mode is set as default.

l Destination address only: Select this option if you want to drop SYN packets

according to the destination IP address and destination packet rate only.

l Source address only: Select this option if you want to drop SYN packetsaccord-

ing to the source IP address and source packet rate only.

Logging: This option lets you select the log level. The following levelsare available:

l Off: Select this log level if you want to turn logging completely off.

l Limited: Select this log level to limit logging to five packets per seconds. This level

is set as default.

l Everything: Select this log level if you want verbose logging for all SYN (TCP) con-

nection attempts. Note that SYN (TCP) flood attacks may lead to extensive log-

ging.

Source packet rate: Here you can specify the rate of packetsper second that is allowed

for source IP addresses.

Destination packet rate: Here you can specify the rate of packetsper second that is

allowed for destination IP addresses.

Note – It is important to enter reasonable valueshere, for if you set the rate too high,

your webserver, for instance, might fail because it cannot dealwith such an amount of

SYN (TCP) packets. On the other hand, if you set the rate too low, your gateway might

show some unpredictable behavior by blocking regular SYN (TCP) requests. Reason-

able settings for every system heavily depend on your hardware. Therefore, replace

the default values by numbers that are appropriate for your system.

3. Click Apply .


UDP Flood Protect ion

UDP Flood Protection detects and blocks UDP packet floods. The configuration of UDP Flood

Protection is identical to TCP SYN Flood Protection.

254 UTM 9 WebAdmin



ICMP Flood Protection

ICMP Flood Protection detects and blocks ICMP packet floods. The configuration of ICMP

Flood Protection is identical to TCP SYN Flood Protection.

8.4.4 Anti-Portscan

The Network Protection > Intrusion Prevention > Anti-Portscan tab letsyou configure general

portscan detection options.

Portscans are used by hackers to probe secured systems for available services: In order to

intrude into a system or to start a DoS attack, attackers need information on network services. If

this information isavailable, attackers might take advantage of the securitydeficiencies of these

services. Network services using the TCP and UDP Internet protocols can be accessed via spe-

cial ports and this port assignment is generally known, for example the SMTP service is

assigned to the TCP port 25. Ports that are used by the services are referred to asopen, since it

is possible to establish a connection to them, whereas unused ports are referred to as closed;

everyattempt to connect with them will fail. Attackerstry to find the open portswith the help of a

particular software tool, a port scanner. This program tries to connect with severalports on the

destination computer. If it is successful, the tool displays the relevant ports as open and the

attackers have the necessary information, showing which network services are available on the

destination computer.

Since there are 65535 distinct and usable port numbersfor the TCP and UDP Internet pro-

tocols, the ports are scanned at very short intervals. If the gateway detects an unusually large

number of attemptsto connect to services, especially if these attempts come from the same

source address, the gateway is most likely being port scanned. If an alleged attacker performs a

scan of hosts or services on your network, the portscan detection feature will recognize this. As

an option, further portscans from the same source address can be blocked automatically.

Please note that the portscan detection is limited to Internet interfaces, i.e. interfaces with a

default gateway.

Technically speaking, a portscan is detected when a detection score of 21 points in a time range

of 300 ms for one individual source IP address is exceeded. The detection score is calculated as

follows:

l Scan of a TCP destination port less than1024= 3 points

l Scan of a TCP destination port greater or equal1024= 1 point

To enable portscan detection, proceed as follows:

UTM 9 WebAdmin 255





1. On the Anti-Portscan tab, enable Portscan Detection.


The toggle switch turns green and the Global Settings area becomes editable.


Action: The following actions are available:

l Log event only:No measures are taken against the portscan. The event will be

logged only.

l Drop traffic:Further packetsof the portscan will be silently dropped. A port scan-

ner will report these ports as filtered.

l Reject traffic: Further packets of the portscan willbe dropped and an ICMP "des-tination unreachable/port unreachable" response will be sent to the originator. A

port scanner will report these ports as closed.

Limit logging: Enable this option to limit the amount of log messages. A portscan detec-

tion maygenerate many logs while the portscan is being carried out. For example, each

SYN packet that is regarded as belonging to the portscan will generate an entry in the fire-

wall log. Selecting this option will restrict logging to five lines per second.

3. Click Apply .


8.4.5 Exceptions

On the Network Protection > Intrusion Prevention > Exceptions tab you can define source and

destination networks that should be excluded from intrusion prevention.

Note – A new IPS exception only applies to new connections. To apply a new IPS exception to

an existing connection, you can for example disconnect or restart the respective device.

To create an exception, proceed as follows:

1. On the Exceptions tab, click New Exception List .

The Create Exception List dialog box opens.


Name: Enter a descriptive name for thisexception.

Skip These Ch ecks: Select the security checks that should be skipped:

256 UTM 9 WebAdmin



l Intrusion Prevention: When you select this option, the IPS of Sophos UTM will

be disabled.

l Portscan Protection: Selecting this option disables the protection from attacksaimed at searching your network hosts for open ports.

l TCP SYN Flood Protection: Once selected, the protection from TCP SYN flood-

ing attacks will be disabled.

l UDP Flood Protection: Once selected, the protection from UDP flooding

attacks will be disabled.

l ICMP Flood Protection: Once selected, the protection from ICMP flooding

attacks will be disabled.

For All Requests: Select at least one condition for which the security checksare to be

skipped. You can logically combine several conditions by selecting either And or Or from

the drop-down list in front of a condition. The following conditionscan be set:

l Coming from These Source Networks: Select to add source hosts/networks

that should be exempt from the security checks of this exception rule. Enter the

respective hosts or networks in the Networks box that opens after selecting the

condition.

l Using These Services:Select to add services that should be exempt from the

security checks of this exception rule. Add the respective services to the Services

box that opens after selecting the condition.

l Going to These Destinations: Select to add hosts/networks that should be

exempt from the security checks of this exception rule. Enter the respective hosts

or networks in the Destinations box that opens after selecting the condition.




3. Click Save.

The new exception appears on the Exceptions list.

4. Enable the exception.

The new exception is disabled by default (toggle switch is gray). Click the toggle switch to

enable the exception.

The exception is now enabled (toggle switch is green).

UTM 9 WebAdmin 257






Note – If you want to except intrusion prevention for packets with the destination address of

the gateway, selecting Any in the Destinations box will not succeed. You must instead select

an interface definition of the gateway that contains the gateway's IP address, for example,

Internal (Address) if you want to exclude intrusion prevention for the gateway's internal

address.

8.4.6 Advanced

Pattern Set Opt imizat ion

Activate file related p atterns: By default, patterns against file-based attacks are disabled as

protection against those threats isusually covered by the Antivirusengine. Thisdefault setting

(disabled) provides maximum performance while enabling this option will provide maximum

recognition rate. Enabling file-related patterns may be a sensible option where no other virus

protection is available, e.g., Web Protection is turned off or no client Antivirusprogram is

installed.

Manual Rule Modificat ion

In this section, you can configure manual modifications to each IPS rule overwriting the default

policy, which istaken from the attack pattern groups. Such modifications should be configured

by experienced users only.

To create a modified rule, proceed as follows:

1. In the Modified rules box, click the Plus icon.

The Modify Rule dialog box opens.


Rule ID: Enter the ID of the rule you want to modify. To look up the rule ID, go to the list

of IPS rulesat the Sophos website. (In the folder, lookfor files with IPS-rules in their

names, available for different UTM versionsand pattern versions, and both in HTML and

XML format.) In addition, they can either be determined from the IPS log or the IPS

report.

Disable this rule: When you select this option, the rule of the respective ID will be dis-

abled.

If you do not select this option, however, the following two options are available:

258 UTM 9 WebAdmin

http://www.astaro.com/lists/



l Disable notifications: Selecting this option will not trigger a notification in case

the rule in question was applied.

l Action: The action each rule is associated with it. You can choose between the fol-lowing actions:

l Drop: If an alleged attack attempt hasbeen determined, the causing data

packets will be dropped.

l Alert: Unlike the Drop setting, critical data packets are allowed to pass the

gateway but will create an alert message in the IPS log.

3. Click Save.

The rule appearsin the Modified rules box. Please note that you also need to click Apply

on the bottom of the page to commit the changes.

Note – If youadd a rule ID to the Modified rules box and set the action to Alert , for example,

this modification will only take effect if the group to which the rule belongs is enabled on the

Attack Patterns tab. If the corresponding attack pattern group is disabled, modifications to indi-

vidualIPS rules will have no effect.

Performance Tuning

In addition, to increase the performance of the intrusion prevention system and to minimize the

amount of false positive alerts, you can limit the scope of IPS rules to only some of your internal

servers. For example, suppose you have activated the HTTP Servers group on the Attack Pat-

terns tab and you have selected a particular HTTP server here. Then, even if the intrusion pre-

vention system recognizes an attackagainst an HTTP server, the associated action (Drop or

Alert ) willonly be applied if the IP address of the affected server matches the IP address of the

HTTP server selected here.

You can limit the scope of IPS rules for the following server types:

l HTTP: All attack pattern groups subsumed under HTTP Servers

l DNS: Attack pattern group DNS

l SMTP: Attack pattern groups Exchange and Sendmail

l SQL: All attack pattern groups subsumed under Database Servers

UTM 9 WebAdmin 259




8.5 Server Load Balancing 8 Network Protection

8.5 Server Load BalancingWith the server load balancing function you can distribute incoming connections (e.g., SMTP or

HTTP traffic) to severalservers behind the gateway. Balancing isbased on the source IP

address with a persistence time of one hour. If the interval between two requests from the same

source IP address exceeds that interval, the balancing isredecided. The traffic distribution is

based on a simple round-robin algorithm.

All servers from the server pool are monitored either by ICMP ping, TCP connection estab-

lishment, or HTTP/S requests. In case of a failure the affected server is not used anymore for

distribution, any possible source IP persistence is overruled.

Note – A return code of HTTP/S requests must either be 1xx Informational, 2xx

Success, 3xx Redirection, or 4xx Client Error. All other return codes are taken as fail-

ure.

8.5.1 Balancing Rules

On the Network Protection > Server Load Balancing > Balancing Rules tab you can create load

balancing rules for Sophos UTM Software. After having created a rule, you can additionally

define weight distribution between servers and set interface persistence.

To create a load balancing rule, proceed as follows:

1. On the Balancing Rules tab, click New Load Balancing Rule.

The Create New Load Balancing Rule dialog box opens.


Service: The network service you want to balance.

Virtual server: The original target host of the incoming traffic. Typically, the address will

be the same as the gateway's external address.

Real servers: The hosts that will in turn accept traffic for the service.



260 UTM 9 WebAdmin



Check type: Select either

l TCP (TCP connection establishment),

l UDP (UDP connection establishment),

l Ping (ICMP Ping),

l HTTP Host (HTTP requests),

l or HTTPS Hosts(HTTPS requests) for service monitoring.

When using UDP a ping request will be sent initially which, if successful, is followed

by a UDP packet with a payload of 0. If ping does not succeed or the ICMP port is

unreachable, the server is regarded as down. For HTTP and HTTPS requestsyou can enter a URL, which can either be with or without hostname, e.g.

index.html or http://www.example.com/index.html .

Interval: Enter a check interval in seconds. The default is 15 seconds, i.e., every 15

seconds the health status of all realservers ischecked.

Timeout: Enter a maximum time span in seconds for the realservers to send a

response. If a real server does not respond during this time, it will be regarded as dead.

Automatic firewall rules (optional): Select this checkbox to automatically generate fire-wall rules. These rules allow forwarding traffic from anyhost to the realservers.

Shutdown virtual server address (optional): If and only if you use an additional

address as virtual server for load balancing (see chapter Interfaces > Additional

Addresses) this checkbox can be enabled. In case all real servers become unavailable

that additionaladdress interface will be automatically shut down.


3. Click Save.The new rule appearson the Balancing Rules list.

4. Enable the load balancing rule.


enable the rule.



Example: Suppose that you have two HTTP servers in your DMZ with the IP addresses192.168.66.10 and 192.168.66.20, respectively. Assumed further you want to distribute

UTM 9 WebAdmin 261

8 Network Protection 8.5 Server Load Balancing



8.5 Server Load Balancing 8 Network Protection

HTTP traffic arriving on the external interface of your gateway equally to both servers. To set up

a load balancing rule, select or create a host definition for each server. You maycall them http_

server_1 and http_server_2 . Then, in the Create New Load Balancing Rule dialog box, select

HTTP as Service. In addition, select the external address of the gateway as Virtual server . Fin-

ally, put the host definitions into the Real servers box.

Weight Distribution and Interface Persistence

To distribute weight between the load balancing servers and/or to set interface persistence of

them, do the following:

1. Click the Edit button of a load balancing rule.

The Edit Load Balancing Rule dialog box opens.

2. Click the Scheduler button on the header of the Real servers box.

The Edit Scheduler dialog window opens.


Weight: Weight can be set from 0 to 100 and specifies how much traffic is processed by

a server relative to all other servers. A weighted round robin algorithm is used for this, a

higher value meaning more traffic is routed to the respective server. The valuesare eval-

uated relative to each other so they need not add up to 100. Instead, you can have a con-

figuration for example, where server 1 hasvalue 100, server 2 hasvalue 50 and server 3

hasvalue 0. Here, server 2 gets only half the traffic of server 1, whereasserver 3 only

comes into action when none of the other servers is available. A value of zero means that

always another server with a higher value ischosen if available.

Persistence: Interface persistence is a technique which ensures that subsequent con-

nections from a client are always routed over the same uplink interface. Persistence has

a default timeout of one hour. You can also disable interface persistence for this bal-

ancing rule.

4. Click Save.

The Edit Scheduler dialog window closes and your settings are saved.

5. Click Save.

The Edit Load Balancing Rule dialog box closes.

262 UTM 9 WebAdmin



8.6 VoIPVoice over Internet Protocol (VoIP) is the routing of voice conversations over the Internet or

through any other IP-based network. Sophos UTM offers support for the most frequently

employed protocols used to carry voice signals over the IP network:

l SIP

l H.323

8.6.1 SIPThe Session Initiation Protocol (SIP) is a signalization protocol for the setup, modification, and

termination of sessions between two or several communication partners. It is primarily used in

setting up and tearing down voice or video calls. To use SIP, you first have to register your IP

address and URLs at your ISP. SIP uses UDPor TCP on port5060 to indicate which IP

addresses and port numbers are to be used between the endpointsto exchange media data

(video or voice). Since opening all ports for all addresses would cause a severe securityissue,

the gateway is able to handle SIP traffic on an intelligent basis. This is achieved by means of a

special connection tracking helper monitoring the control channel to determine which dynamic

ports are being used and then only allowing these ports to pass traffic when the control channel

is busy. For that purpose you must specify both a SIP server network and a SIP client network

definition in order to create appropriate firewall rules enabling the communication via the SIP

protocol.

To enable support for the SIP protocol, proceed as follows:

1. On the SIP tab, enable SIP protocol support.


The toggle switch turns amber and the Global SIP Settings area becomes editable.


SIP server networks: Here you can add or select the SIP servers (provided by your

ISP) the SIP clients should be allowed to connect to; for security reasons, do not select

Any . How to add a definition is explained on the Definitions & Users > Network Definitions

> Network Definitions page.

UTM 9 WebAdmin 263

8 Network Protection 8.6 VoIP



8.6 VoIP 8 Network Protection

SIP client networks: Add or select the hosts/networks of the SIP clients that should be

allowed to initiate or respond to a SIP communication. A SIP client is an endpoint in the

LAN that participates in real-time, two-way communications with another SIP client. Howto add a definition is explained on the Definitions & Users > Network Definitions> Net-

work Definitions page.

Expectation mode: Select how strict the initializing of communication sessions should

be:

l Strict: Incoming calls are only allowed from the ISP's registrar, i.e. the IP address

the REGISTER SIP message was sent to. Additionally, the UTM only accepts

media (voice or video) data sessions from signaling endpoints, i.e., the devices that

exchanged the SIP message. Some providerssend the media data from another IP address than the SIP message, which will be rejected by the UTM.

l Client/server networks: Incoming calls are allowed from all clientsof the defined

SIP server or client networks. Media data isaccepted from another sender IP

address than the one that sent the SIP message, provided that the address

belongsto the defined SIP server or client networks.

l Any: Incoming calls as well as media data are permitted from anywhere.

3. Click Apply .Your settings will be saved.


8.6.2 H.323

H.323 isan international multimedia communications protocol standard published by the Inter-

national Telecommunications Union (ITU-T) and defines the protocols to provide audio-visual

communication sessions on any packet-switched network. H.323 is commonly used in Voiceover IP (VoIP) and IP-based videoconferencing.

H.323 usesTCP on port1720 to negotiate which dynamic port range is to be used between the

endpointswhen setting up a call. Since opening all ports within the dynamicrange would cause

a severe security issue, the gateway is able to allow H.323-related traffic on an intelligent basis.

Thisis achieved by means of a special connection tracking helper monitoring the control chan-

nel to determine which dynamic ports are being used and then only allowing these ports to pass

traffic when the control channel is busy. For that purpose you must specify both an H.323 gate-

keeper and a client network definition in order to create appropriate firewall rules enabling the

communication via the H.323 protocol.

264 UTM 9 WebAdmin



To enable support for the H.323 protocol, proceed as follows:

1. On the H.323 tab, enable H.323 protocol support.


The toggle switch turns amber and the GlobalH.323 Settings area becomes editable.


H.323 Gatekeeper: Add or select an H.323 gatekeeper. An H.323 gatekeeper controls

all H.323 clients (endpoints such as Microsoft's NetMeeting) in its zone. More specifically,

it acts as a monitor of all H.323 callswithin its zone on the LAN. Itsmost important task is

to translate between symbolic alias addresses and IP addresses. How to add a definition

is explained on the Definitions & Users > Network Definitions > Network Definitions page.

H.323 Client: Here you can add or select the host/network to and from which H.323 con-

nections are initiated. An H.323 client is an endpoint in the LAN that participates in real-

time, two-waycommunications with another H.323 client. How to add a definition is


3. Click Apply .



8.7 AdvancedThe tabsof the Network Protection > Advanced menu let you configure additionalnetwork pro-

tection features such as a generic proxy, SOCKS proxy, and IDENT reverse proxy.

8.7.1 Generic Proxy

A generic proxy, also known as a port forwarder, combines both features of DNAT and mas-

querading, forwarding all incoming traffic for a specific service to an arbitrary server. The dif-

ference to standard DNAT, however, is that a generic proxy also replaces the source IP

address of a request with the IP address of the interface for outgoing connections. In addition,

the destination (target) port number can be changed as well.

To add a generic proxy rule, proceed as follows:

1. On the Generic Proxy tab, click New Generic Proxy Rule.

The Create New Generic ProxyRule dialog box opens.

UTM 9 WebAdmin 265

8 Network Protection 8.7 Advanced



8.7 Advanced 8 Network Protection


Interface: Select the interface for incoming connections.

Service: Add or select the service definition of the traffic to be proxied.

Host: Add or select the target host where the traffic should be forwarded to.

Service: Add or select the target service of the traffic to be proxied.

Allowed Networks: Add or select the networks to which port forwarding should be

applied.

Tip – How to add a definition is explained on the Definitions& Users > Network Defin-



3. Click Save.

The new rule appearson the Generic Proxy rule list.

4. Enable the generic proxy rule.


enable the rule.



8.7.2 SOCKS Proxy

SOCKS is a versatile Internet protocol that allows client-server applications to transparentlyuse

the services of a network firewall. It is used by many client applicationsbehind a firewall to com-

municate with hosts on the Internet. Examples are IRC/Instant Messaging clients, FTP clients,

and WindowsSSH/Telnet clients. Those clients behind a firewall wanting to accessexterior serv-

ers connect to a SOCKS proxy server instead. This proxy server controls the eligibility of the cli-

ent to access the external server and passes the request on to the server. Your client applic-

ation must explicitly support the SOCKS 4 or SOCKS 5 protocol versions.

The default port for SOCKS is1080. Almost all clients have implemented this default port set-

ting, so it normally does not have to be configured. The differences between SOCKS and NAT

are that SOCKS also allows "bind" requests (listening on a port on behalf of a client—a feature

which issupported by very few clients only) and that SOCKS 5 allows user authentication.

266 UTM 9 WebAdmin



When enabling the SOCKS proxy, you must define one or more networks which should have

access to the proxy. When you require user authentication, you can also select the users or

groups that should be allowed to use the SOCKS proxy.

Note – Without user authentication, the SOCKS proxy can be used with both the SOCKS 4

and SOCKS 5 protocols. When user authentication is selected, only SOCKS 5 will work. If you

want the proxy to resolve hostnames in SOCKS 5 mode, you must also activate the DNS

proxy, because otherwise DNS resolution will fail.

To configure the SOCKS proxy, proceed as follows:

1. On the SOCKS Proxy tab, enable the SOCKS proxy.


The toggle switch turns amber and the SOCKS Proxy Options area becomes editable.


Allowed networks: Add or select the networks that should be allowed to use the

SOCKS proxy. How to add a definition is explained on the Definitions& Users > Network


Enable user authentication: If you select thisoption, users must provide a username

and password to log in to the SOCKS proxy. Because onlySOCKS 5 supports user

authentication, SOCKS 4 is automatically disabled.

Allowed users: Select the users or groups or add new users that should be allowed to

use the SOCKS proxy. How to add a user is explained on the Definitions& Users > Users

& Groups > Users page.

3. Click Apply .


8.7.3 IDENT Reverse Proxy

The IDENT protocol is used by remote servers for a simple verification of the identity of access-

ing clients. Although this protocol is unencrypted and can easily be spoofed, many services still

use (and sometimes require) the IDENT protocol.

To configure the IDENT relay, proceed as follows:

1. On the IDENT Reverse Proxy tab, enable the IDENT relay.


UTM 9 WebAdmin 267

8 Network Protection 8.7 Advanced



8.7 Advanced 8 Network Protection

The toggle switch turns green and the Global Settings area becomes editable.


Forward to Internal Hosts (optional): Since IDENT queries are not covered by thegateway's connection tracking, they will get "stuck" if masquerading isused. You can

select the Forward to Internal Hosts option to pass on IDENT queries to masqueraded

hosts behind the gateway. Note that the actual IP connection willnot be forwarded.

Instead, the gateway will in turn ask the internalclient for an IDENT reply and willforward

that string to the requesting server. This scheme will work with most "mini-IDENT" serv-

ers built into popular IRC and FTP clients.

Default Response: The gateway offers support for answering IDENT requests when

you enable the IDENT relay. The system will always reply with the string entered in the

Default Response box, regardless of the local service that has initiated the connection.

3. Click Apply .


268 UTM 9 WebAdmin



9 Web ProtectionThischapter describes how to configure basicweb protection features of Sophos UTM.


l Web Filtering

l Web Filter Profiles

l Filtering Options

l Policy Test

l Application Control

l FTP

The Web Protection Statistics page in WebAdmin providesan overview of the most used applic-

ations and application categories, the most surfed domains according to time and traffic as well

as the top users surfing. In addition, the top blocked website categories are shown. Each of the

sections containsa Details link. Clicking the link redirects you to the respective reporting section

of WebAdmin, where you can find more statistical information.

Note – You can find detailed information on how the web usage data is collected and how the

statistics are calculated on the Logging & Reporting > Web Protection > Web Usage Reports

page.

In the Top Applications section, hovering the cursor on an application displays one or two icons

with additional functionality:

l Click theBlock icon to block the respective application from now on. This will create a rule

on the Application Control Rules page. This option is unavailable for applications relevant

to the flawless operation of Sophos UTM. WebAdmin traffic, for example, cannot be

blocked as this might lead to shutting yourself out of WebAdmin. Unclassified traffic can-

not be blocked, either.

l Click theShape icon to enable traffic shaping of the respective application. A dialog win-

dow opens where you are asked to define the rule settings. ClickSave when you are

done. This will create a rule both on the Traffic Selectors and on the Bandwidth Pools

page.Traffic shaping isnot available when viewing the All Interfaces Flow Monitor as

shaping works interface-based.



9.1 Web Filtering 9 Web Protection

l Click theThrottle icon to enable trafficthrottling of the respective application. A dialog win-

dow opens where you are asked to define the rule settings. Click Save when you are

done. This will create a rule both on the Traffic Selectors and on the Download Throttling

page. Download throttling is not available when viewing the All Interfaces Flow Monitor

as throttling works interface-based.

9.1 Web FilteringThe tabsof the Web Protection > Web Filtering menu allow you to configure Sophos UTM as an

HTTP/S caching proxy. This includesAntivirusscanning on incoming and outgoing web traffic,

protecting against Spyware and detecting malicious websites. It can also control access to web-

sites of different categories, allowing an administrator to enforce policies regarding access to

things such as Gambling, Pornography, or Shopping, including blocking these sites or providing

a click-though warning page.

Used in conjunction with Sophos Endpoint Software, Sophos UTM can enforce and monitor

these same web policies on endpoint machinesthat are on external networks. Users can take a

laptop home or around the world and the same policies will apply. To enable Endpoint Web Con-

trol , see Endpoint Protection > Web Control .

You can still manage your filter actions on the Web Filter Profiles > Filter Actions tab. There you

can add, modify, clone or delete filter actions. But now you can create, modify, and assign filter

actions by launching the Add/Edit Filter Action wizard on the Web Filtering > Policies tab.

9.1.1 Web Filtering Changes

As of the 9.2 release, Sophos UTM includes a new simplified interface for creating and man-

aging your web filtering policies. While the interface has changed considerably, functionality has

not changed. All of your existing settingshave been preserved and if you make no changesthe

system will behave in the exact same way.

Previously, complex web policy involved creating web filtering profiles. These consisted of filter

actions, created on the Filter Actions tab, which were then assigned to users and groups

through filter assignments on the Filter Assignments tab, and then configured on the Proxy Pro-

files tab. Now, you can configure all aspects of your Web Filtering policy, including your default

configuration and advanced filtering profiles from the Web Filtering > Policies tab.

270 UTM 9 WebAdmin



Note – Take some time to familiarize yourself with the new interface and read the following

overview. While it is different than previous releases, it should be much easier to create and

maintain complex web policies.

9.1.1.1 Some Key Differences

l In 9.1 there were several tabs containing global optionsthat were under Web Protection

> Web Filtering . These tabs have moved to Web Protection > Filtering Options.

l In 9.1 a Proxy Profile had Filter Assignments, which allowed you to select different Filter

Actions based on criteria. These are now called Filter Profiles with Policies, which are

presented in a table on a second tab of the Profile.

l In 9.1 the default Profile only supported a single Filter Assignment (called the default

assignment). Now you can have many Policies within the default Profile.

l In 9.1 every Profile had a fallback action. This is now called the Base Policy, however the

functionality is the same. The Base Policy contains the Filter Action that is used if no other

policies match.

l In 9.1 you created Filter Actions using multiple tabs on the default Profile, and a very tall

scrolling region for any additional. Now the creation of all Filter Actions isdone with amulti-tabbed dialog, the Filter Action Wizard.

9.1.1.2 Common Tasks

The following is a brief overview of how you perform common tasks in 9.2 and later compared to

the 9.1 interface.

How do I: 9.1 9.2

Edit the

default

policy?

Configure the various tabsunder Web Filtering :

l Web Filtering > Antivir-

us/Malware

l Web Filtering > URL Filtering

l Web Filtering > Advanced

Web Filtering > Policies

Create or

edit a proxy

profile?

Web Filtering Profiles > Proxy Pro-

files

Web Filtering > Web Filtering Profiles

UTM 9 WebAdmin 271

9 Web Protection 9.1 Web Filtering




Assign a filter

assignment

to a proxy

profile?

1. Create a filter action on Web

Filtering Profiles > Filter

Actions

2. Create a filter assignment on

Web Filtering Profiles > Filter

Assignments

3. Edit or add a proxy profile on

Web Filtering Profiles > Proxy

Profiles

1. On Web Filtering Profiles > Fil-

ter Profiles, click on the name of

a Filter Profile, or create a pro-file by clicking the green Plus

icon

2. On the Policies tab, click the

green plus icon to add a policy

3. Select a Filter Action, or click

the green plus icon to create

one.

Add a web-site to a black-

list in my

default filter

action?

Web Filtering Profiles > Filter Assign-

ments

On Web Filtering > Policies, when cre-

ating or editing a policy, click the green

Plus icon next to Filter Action.

Create a

new Filter

Action for my

Filter Assign-

ment?

Web Filtering > URL Filtering and

clickthe green Plus icon next to Addi-

tionalURLs/Sites to block

1. Web Filtering > Policies

2. Select the Default content filter

action

3. On the Websites tab, click the

green Plus icon next to Block

these websites

Modify

advanced

settings?

Web Filtering > Advanced Filtering Options > Misc

Manage trus-

ted HTTPS

CAs?

Web Filtering > HTTPS CAs Filtering Options > HTTPS CAs

9.1.1.3 Migration

When you upgrade to version 9.2, your previous configuration and settings are preserved and

your system will continue to behave the same. However, as the user interface has changed con-

siderably, things may not be where you expect them to be. The Web Filtering menu item con-

tains all the settings you need to apply a set of policies and actionsto a single set of allowed net-

works. The Web Filter Profiles menu item contains corresponding settings, but allows you to

272 UTM 9 WebAdmin



create multiple Profiles so you can apply different settings to different networks. All global set-

tings are now on tabson the Filtering Options menu item.

Some objects have been renamed. For example, Proxy Profiles are now Filter Profiles and Fil-ter Assignments are now Policies.The Fallback Action is now called the Base Policy ,asitisthe

policy/action that occurs if no other policies match. The relationship between these objects is

much clearer, as all Policies are now listed on a tab of the Profile. The Filter Action can be added

or modified using a pop-up tabbed dialog that contains everything that can be configured for an

action.

One of the limitations of 9.1 isthat the default Profile could only have one set of users assigned

to it. This hasbeen migrated to a Policycalled Default content filter profile assignment with a

migrated Filter Action called Default content filter action. If you had other Filter Assignments cre-ated, these will now appear as disabled Policies in the Profile.

In 9.1 if you had created a Profile just so that you could have multiple Assignments you can sim-

plify your configuration by enabling those Policies in the default Profile in the first menu option,

making sure that your Allowed Networks is correct, and then deleting the now unnecessary addi-

tional Profile.

9.1.2 GlobalOn the Web Protection > Web Filtering > Global tab you can make the global settingsfor the

Web Filter.

To configure the Web Filter, proceed as follows:

1. On the Global tab, enable the Web Filter.


The toggle switch turns green and the Primary Web Filter Profile area becomes editable.


Select the networks that should be allowed to use the Web Filter. By default, the Web Fil-

ter listens for client requests on TCP port8080and allows anyclient from the networks lis-

ted in the Allowed networks box to connect.

Caution – It is extremely important not to select an Any network object, because this

introduces a serious security risk and opens your appliance up to abuse from the Inter-

net.

UTM 9 WebAdmin 273





3. HTTPS (SSL) Traffic:

Choose from the following options for scanning SSL traffic:

l Do not Scan: Thisoption is only available in transparent mode. When selected,

HTTPS traffic does not go through the proxy and does not get scanned.

l URL Filtering Only: Thisoption performsURL category and reputation checks,

but does not scan the contents of HTTPS traffic.

l Decrypt and Scan: Chose this option to decrypt and perform full checks on

HTTPS traffic.

4. Select a mode of operation.

Note that when you select an operation mode that requires user authentication, you

need to select the usersand groups that shall be allowed to use the Web Filter. The fol-

lowing modes of operation are available:

l Standard Mode: In standard mode, the Web Filter will listen for client requests on

port 8080 by default and will allow any client from the networks listed in Source net-

works boxto connect. When used in this mode, clients must have specified the

Web Filter as HTTP proxy in their browser configuration.

Select the default authentication mode.

l None: Select to not use any authentication.

l Active Directory SSO: This mode will attempt to authenticate the user

that is currently logged into the computer as the user of the proxy (single

sign on). If the currently logged in user is a valid AD user with permission to

use the proxy, the authentication should occur with no user interaction. You

must have configured Active Directory Single Sign-On (SSO) on the Defin-

itions & Users > Authentication Services > Servers tab. Clientscan authen-

ticate with NTLM or Kerberos.

l Agent: Select to use the Sophos Authentication Agent (SAA). Users need

to start the agent and authenticate in order to be able to use the Web Filter.

The agent can be downloaded from the User Portal. See: User Portal.

l Apple OpenDirectory SSO: Select when you have configured LDAP on

the Definitions & Users > Authentication Services > Servers tab and you are

using Apple OpenDirectory. Additionally, you have to upload a MAC OS X

Single Sign-On Kerberos keyfile on the Web Protection > Filtering Options >

Misc tab for the proxy to work properly. When used in this mode, clients

274 UTM 9 WebAdmin



must have specified the Web Filter as HTTP proxy in their browser con-

figuration. Note that the Safari browser does not support SSO.

l Basic User Authent ication: In this mode, each client must authenticateitself against the proxy before using it. For more information about which

authentication methods are supported, see Definitions & Users > Authentic-

ation Services. When used in this mode, clients must have specified the Web

Filter as HTTP proxy in their browser configuration.

l Browser: When selected the users will be presented a login dialog window

in their browser to authenticate themselves at the Web Filter. This mode

allows for username-based tracking, reporting, and surfing without client-

side browser configuration. Moreover, you can enable a disclaimer that isadditionally displayed on that dialog window and needs to be accepted by

users to be able to go on. For more information on the disclaimer, please

refer to chapter Management > Customization > Web Messages.

l eDirectory SSO: Select when you have configured eDirectory on the Defin-

itions & Users > Authentication Services > Servers tab.

Note – For eDirectory Single-Sign-On (SSO) modes, the Web Filter caches

accessing IP addresses and credentials for up to fifteen minutes, for Apple

OpenDirectory and Active Directory SSO it caches only the group information.

This is done to reduce the load on the authentication servers. However it also

means that changes to users, groups, or the login status of accessing users may

take up to fifteen minutes to be reflected by the Web Filter.

If you chose an authentication mode that requires user authentication, select Block

access on authentication failure to denyaccess to users that fail authentication.

l Transparent Mode: In transparent mode, all connections made by clientbrowser applications on port 80 (and port 443 if SSL is used) are intercepted and

redirected to the Web Filter without client-side configuration. The client is entirely

unaware of the Web Filter server. The advantage of this mode is that for many

installations no additional administration or client-side configuration is necessary.

The disadvantage however is that only HTTP requests can be processed. Thus,

when you select the transparent mode, the client's proxy settings will become inef-

fective.

UTM 9 WebAdmin 275





Note – In transparent mode, the Web Filter will strip NTLM authentication head-

ers from HTTP requests. Furthermore, the Web Filter cannot handle FTP

requests in this mode. If your clients want to accesssuch services, you must open

port (21) in the firewall. Note further that some webservers transmit some data,

in particular streaming video and audio, over a port different from port 80. These

requests will not be noticed when the Web Filter operates in transparent mode.

To support such traffic, you must either use a different mode or enter an explicit

firewall rule allowing them.








ticate with NTLM (or Kerberos if Mac). For some environments additional

configuration is required on the endpoint. If you are having problemswith

SSO in transparent mode, please see: SophosKnowledgebase Article120791.

Note – When defining the Active Directory user group, we highly recom-

mend to add the desired entries to the Active Directory groups boxby

manually entering the plain Active Directory group or user names instead

of the LDAP strings. Example: Instead of an LDAP stringCN=ads_

group1,CN=Users,DC=example,DC=com , just enter the name ads_

group1.

Note – When using Kerberos, only add groups to the Active Directory

groups box, as entries for users are not be accepted by the Web Filter.




in their browser to authenticate themselves at the Web Filter. Thismodeallows for username-based tracking, reporting, and surfing without client-

276 UTM 9 WebAdmin





side browser configuration. Moreover, you can enable a disclaimer that is

additionally displayed on that dialog window and needs to be accepted by


refer to chapter Management > Customization >Web Messages.

l Full Transparent (optional): Select to preserve the client source IP instead of

replacing it by the gateway's IP. This isusefulif your clients use public IP addresses

that should not be disguised by the Web Filter. The option is onlyavailable when

running in bridged mode.

The available authentication modes for F ull Transparent are the same as Trans-

parent . See above.

5. When configured to use authentication, you have the option to Block accesson authen-

tication failure. If youare using AD SSO anddonotblock access on failure, an SSO

authentication failure will allow unauthenticated access without prompting the user. If you

are using Browser authentication and do not block access on authentication failure, there

will be an additionalGuest login link on the login page to allow unauthenticated access.

6. Enable Device-specific Authentication.

To configure authentication modes for specific devices, select the Enable Device-specific

Authentication checkbox. Once enabled you can click the green Plus icon to add device

types and associated authentication modes.

7. Click Apply .


Important Note – When SSL scanning is enabled in combination with the transparent mode,

certain SSL connectionsare destined to fail, e.g. SSL VPN tunnels. To enable SSL VPN con-

nections, add the respective target host to the Transparent Mode Skiplist (see Web Protection

> Filtering Options > Misc ). Furthermore, to access hosts with a self-signed certificate you

need to create an exception for those hosts, selecting the option Certificate Trust Check .The

proxy will then not check their certificates.

L ive Log

The Web Filtering live log gives you information on web requests. Click the Open Live Log but-

ton to open the Web Filtering live log in a new window.

UTM 9 WebAdmin 277





9.1.3 Policies

Use the Web Protection > Web Filtering > Policies tab to create and manage web filtering policy

assignments. Policies are used to apply different Filtering Actions to specificusers, groups, or

time periods. These policies apply to the Allowed Networks that are on the Global tab. The first

policy that matches the user and time will be applied, with the Base Policy applied if no others

match. All Profiles have a Base Policy that is always last and cannot be disabled.

To create a new policy, proceed as follows:

1. Click the Plus icon on the upp er right.

The Add Policy dialog is displayed.


Name: Enter a descriptive name for thispolicy.

Users/Groups: Select the users or user groups that this policy will apply to. You can also

create a new user or group. How to add a user is explained on the Definitions & Users >

Users& Groups > Users page.

Time event: The policy will be active for the time period you select. Choose Always to

enable the policy at all times. You can also click the green Plus icon to create a new TimeEvent. Time period definitionsare managed on the Definitions& Users > Time Period

Definitions tab.

Filter action: Select an existing filter action, which defines the types of web protection

you want to apply in a policy. You can also click the green Plus icon to create a new Filter

Action using the Filter Action Wizard . Filter actionscan also be managed on the Web Fil-

ter Profiles > Filter Actions tab.


Advanced settings: Apply this policy to requests that have skipped authentication due

to an exception: You can create Exceptionsin the Filtering Options > Exceptions page to

do things like skip authentication for automatic updaters that cannot use authentication. If

this checkbox is selected then this policy will apply to web requests that have skipped

authentication.

3. Click Save.

The new policy appearsat the top of the Policies list.

278 UTM 9 WebAdmin



4. Enable the policy.

The new policy is disabled by default (toggle switch is gray). Clickthe toggle switch to

enable the policy. The policy is now enabled (toggle switch is green).

l To modify a policy, clickon its name.

l To change the order in which policies are executed, move them up or down in the list by

clicking the up or down arrow to the right.

l To modify a filter action, click on the filter action name to display theEdit Filter Action wiz-

ard or switch to the Web Filter Profiles > Filter Actions tab.

9.1.3.1 Filter Action Wizard

The Add/Edit Filter Action wizard is used to create or edit filter actions for use in your web

policies. You can launch this wizard from the Add Policy or Edit Policy dialogs, or by clicking on

the name of an existing filter action on the Web Filtering > Policies tab.

You can still manage your filter actions on the Web Filter Profiles > Filter Actions tab. There you

can add, modify, clone or delete filter actions. But now you can create, modify, and assign filter

actions by launching the Add/Edit Filter Action wizard on the Web Filtering > Policies tab.

9.1.3.2 CategoriesConfigure default settings for controlling access to certain kinds of websites.

Name: Enter a descriptive name for this filter action.

Allow/Block selection: Decide whether your selection of website categoriesshould be

allowed or blocked. The following options are available:

l Allow all content, except as specified below.

l Block all content, except as specified below.

If you select Allow all content, except as specified below then all categoriesgroupsare defaulted

to Allow, and can be changed to either Warn or Block. If there are categories that are not dis-

played here as part of a categorygroup, they will also be Allowed. If a website is a member of

multiple categoriesand any of the categoriesare Blocked, then the website is Blocked.

If you select Block all content, except as specified below then all categoriesgroupsare defaulted

to Block, and can be changed to either Warn or Allow. If there are categories that are not dis-

played here as part of a categorygroup, they will also be Blocked. If a website is a member of

multiple categories and any of the categories are Allowed, then the website is Allowed.

UTM 9 WebAdmin 279





Block spyware infection and communication: Selecting this option will block the spyware

category. If you Block all content , then this isalways selected.

Note – Advanced Threat Detection can detect and block additional Malware communication.

This can be configured in Network Protection > Advanced Threat Protection > Global .

Categories: You can set whether you want users visiting websites of each category to be

allowed, warned or blocked. If you select Warn, users browsing to a site in that category will first

be presented with a warning page, but they can proceed to the site if theychoose.

Note – There are 107 categories that are by default grouped together into 18 “Filter Cat-

egories”. These can be configured under Web Protection > Filtering Options > URL Filtering

Categories.The Filter Action Wizard displays all Filter Categories that have been configured.

Uncategorized websites: You can set whether uncategorized websites should be Allowed ,

Warned or Blocked .

Block websites with a reputation below a threshold of: Websites can be classified as

either Trusted , Neutral , Unverified , Suspicious, or malicious, the latter not being listed. Unclas-

sified websitesare referred to as Unverified . You can select which reputation a website requires

in order to be allowed access from your network. Websites below the selected threshold will be

blocked. Note that this option is only available if the first option on the page is set to Allow .For

more information on website reputations please refer to http://www.trustedsource.org .

Click Next to proceed to the next configuration page, Save to save your configuration, or Cancel

to discard all changes and close the configuration dialog.

9.1.3.3 Websites

Block t hese websites: If you want to block a specific URL or website, or a subset of

webpages of a specific domain, regardless of its category, define it here. This hasthe effect that

websites defined here can be blocked even if they belong to a category you want to allow.

1. Click the Plus icon to open the Add whitelist/blacklist object dialog window.


l Name: Enter a descriptive name for the whitelist/blacklist object.

l Match URLs based on: Domain Enter one or more domain names. If you

check Include subdomainssubdomains will also be matched (example.com will

280 UTM 9 WebAdmin

http://www.trustedsource.org/



also match www.example.com and mail.example.com). If you do not select

Include subdomainsonly an exact domain name will match.

l Match URLs based on: Regu lar Expression. Enter the regular expressionsthat you want to use to match against the entire URL. If you check Perform match-

ing on these domains only you can specify a list of domains that must match before

the regular expression is applied. Using a regular expression is useful if you need

to match against the path.

Cross Reference – For detailed information on using regular expressions for

web filtering, see the SophosKnowledgebase.

Note – Entriesmust be correct regular expressions. For instance, *.ex-

ample.com is not valid. If you are trying to match a domain name, trynot to use .*

as that can expand into the path. For example, the regular expression

http://.*example\.com will also match http://www.-

google.com/search?www.example.com

l Comment (optional): Add a description or other information.

3. Click Save.

Allow th ese websites: If you want to allow a specific URL or website, or a subset of

webpages of a specific domain, regardless of its category, define it here. This hasthe effect that

websites defined here can be allow even if they belong to a category you want to block.

1. Click the Plus icon to open the Add Regular Expression Object dialog win-

dow.


l Name: Enter a descriptive name for the whitelist/blacklist object.

l Match URLs based on: Domain Enter one or more domain names. If you

check Include subdomainssubdomains will also be matched (example.com will

also match www.example.com and mail.example.com). If you do not select

Include subdomainsonly an exact domain name will match.

l Match URLs based on: Regu lar Expression. Enter the regular expressions

that you want to use to match against the entire URL. If you check Perform match-

ing on these domains only you can specify a list of domains that must match before

UTM 9 WebAdmin 281






the regular expression is applied. Using a regular expression isuseful if you need

to match against the path.



Note – Entries must be correct regular expressions. For instance, *.ex-

ample.com is not valid. If you are trying to match a domain name, trynot to use .*

as that can expand into the path. For example, the regular expression

http://.*example\.com will also match http://www.-

google.com/search?www.example.com

l Comment (optional): Add a description or other information.

3. Click Save.

9.1.3.4 Downloads

Configure which file types and MIME typesare blocked or warned.

Warned File Extensions: If a user tries to download a file with an extension in the Warned fileextension list, they will first be presented with a warning page. To add a file extension, click the

Plus icon in the Warned file extensions boxand enter the file extension you want to warn, for

example exe. File extensionsshould not contain a leading dot.

Blocked File Extensions: If a user tries to download a file with an extension in the Blocked file

extension list, they will be blocked. To add a file extension, clickthe Plus icon in the Blocked file

extensions boxand enter the file extension you want to block, for example exe. File extensions

should not contain a leading dot.

Note – Files within archives (e.g.zip files) will not be scanned for blocked file types, blocked

extensions or blocked MIME types. To protect your network from these within archived files,

consider blocking archive file types such as zip, rar, etc.

Warned MIME Types: If a user triesto download a file of a MIME type listed in the Warned

MIME type list, they will first be presented with a warning page. To add a MIME type, click the

Plus icon in the Warned MIME typesboxand enter the MIME type. You can use wildcards( *) in

the Warned MIME types list, such asaudio/*.

282 UTM 9 WebAdmin




Blocked MIME Types: If a user tries to download a file of a MIME type listed in the Blocked

MIME type list, they will be blocked. To add a MIME type, clickthe Plus icon in the Blocked MIME

types boxand enter the MIME type. You can use wildcards( *) in the Blocked MIME types list,

such asaudio/*.

Block downloads larger than: Specify this option to prevent users from downloading files

that exceed the specified size (in MB).



9.1.3.5 Antivirus

Antivirus

Use Antivirus scanning: Select the option to have inbound and outbound web traffic

scanned for viruses. Sophos UTM features several antivirus engines:

l Single Scan: Default setting; provides maximum performance using the engine defined

on the System Settings > Scan Settings tab.

l Dual Scan: Provides maximum recognition rate by scanning the respective traffic twice

using different virus scanners. Note that dual scan isnot available with BasicGuard sub-

scription.

l Block potentially unwanted applications (PUAs): PUAs are programs that are not

malicious, but may be unsuitable for a business environment. This feature is only avail-

able when using the Sophos anti-virus engine. To allow specific PUAs if you enable block-

ing, add exceptions on Web Filtering > Filtering Options> PUAs.

Do not scan files larger than: Specify the maximum size of files to be scanned by the anti-

virus engine(s). Files exceeding this size will be exempt from scanning.

Tip – If you want to prevent files larger than the maximum scanning size from being down-

loaded, set the Block downloads larger than value on the Downloads page.

Act ive Content Removal

In the Active Content Removal area you can configure the automatic removal of specific web

content such as embedded objects in webpages. You can configure the following settings:

l Disable JavaScript: Thisfeature will disable all<SCRIPT> tags in HTML pages, res-

ulting in the deactivation of functionsthat are embedded in or included from HTML

UTM 9 WebAdmin 283





pages.

l Remove embedd ed objects (ActiveX/Java/Flash): This feature will remove all

<OBJECT> tags from HTML pages, stripping off dynamic content including ActiveX, Flash,

or Java from incoming HTTP traffic.



9.1.3.6 Additional Options

Enforce Websi te Protect ion Features

SafeSearch: Certain search providers have a SafeSearch feature that is designed to removeadult content from search results. You can enforce the use of SafeSearch for Google, Bing or

Yahoo. When enabled, a provider's SafeSearch willbe enforced, and cannot be turned off or

bypassed by Web Filter users. To configure this feature, select the provider whose SafeSearch

you want to enforce.

YouT ube for Schools: If enabled, users trying to open a YouTube video are restricted to

YouTube videos either belonging to the sub-section YouTube EDU or uploaded by your school

account. To make this work, you have to sign up at the YouTube for Schools program to get a

School ID which you need to enter below.

Note – On the Sophos UTM, you have to make sure that the top-level domainsyoutube.com

and ytimg.comas well as videos in general are not blocked. If you have enabled YouTube for

Schools, you need to enter the School ID or code supplied by YouTube.

Enforce allowed domains for Google Apps: Google Apps can block users from accessing

certain services unless their Google account is a member of the Google Apps domain. Turning

this on enforces thisfeature, and cannot be turned off or bypassed by Web Filter users. To con-figure this feature, select Enforce allowed domains for Google Apps. Then,at the topof the

Domains box, click the Plus icon or the Action icon to add or import Google Apps domains.

Act ivi ty Logging

You can select which activities will be logged:

l Log accessed pages: This feature will log information about all pages that have been

accessed through the UTM.

284 UTM 9 WebAdmin



l Log blocked pages: This feature will log information about pages that have been

blocked from being accessed.

Network Configurat ion

You can configure parent proxies, both globally and profile-based (see Web Protection > Fil-

tering Options > Parent Proxies).

Note – With parent proxies enabled, HTTPS requests are not possible in Transparent mode

when SSL scanning isenabled.

To configure a parent proxy, do the following:

1. Click the Plus icon at the to p of t he parent proxies list.

The Add Parent Proxy dialog box opens.


Name: Enter a descriptive name for the parent proxy.


Use proxy for these hosts: Add hosts to this box for which the parent proxy is to be

used, e.g.*.wikipedia.org. Note that you can use pattern matching here. Regular expressions, however, are not allowed. If you leave the boxempty, an asterisk (*) is auto-

matically added when clicking Save, which matches all hosts. Such a proxy definition can

therefore be regarded as a fallback proxy which matches when none of the other prox-

ies, if existent, do.

Parent proxy: Select or add the network definition of the parent proxy.

Port: The default port for the connection to the parent proxy is 8080. If your parent proxy

requires a different port, you can change it here.

Proxy requires authentication: If the parent proxy requires authentication, select the

checkbox and enter username and password in the appearing textboxes.

3. Click Save.

The new parent proxy appearsin the Parent Proxies list and on the Web Protection > Fil-

tering Options > Parent Proxies page.

To edit or delete a parent proxy, click the name of the proxy.

Click Save to save your configuration, or Cancel to discard all changes and close the con-figuration dialog.

UTM 9 WebAdmin 285




9.2 Web Filter Profiles 9 Web Protection

9.2 Web Filter ProfilesFilter profiles can be used to create various content filtering policies, enabling you to apply dif-

ferent policies to different addresses of your network. If you wish to apply the same policies for

every networkin the company this can be done in Web Protection > Web Filtering . In addition,

each filter profile can have its own user authentication method.

Multiple filter profiles allow you control authentication and web content for different networks.

For example you can have a set of policies for your corporate computers using AD SSO, and a

different authentication method and set of policies for a guest wirelessnetwork.

9.2.1 Filter Profiles

If you want to apply different policy or authentication modes to multiple networks you can create

multiple Filter Profiles. For example on your wired network you may only have corporate com-

puters that are integrated with AD, and therefore wish to use Standard mode with an explicit

proxy and AD SSO. Your wireless network may have a browser login portal for employees to

enter in their AD credentials, as well as a guest login that has limited access.

Profiles can be created on the Web Filter Profiles > Filter Profiles tab. When a web request is

made, the UTM will look at the source IP and apply the first profile that has a matching Allowed

Network and Operation Mode.The Default Web Filter Profile is configured on the Web Pro-

tection > Web Filtering page. It is listed here to show that it is the last profile that will match. Once

a profile is selected, the UTM will perform authentication and policy according to that profile.

To create a filter profile:

1. Click the Plus icon on the upp er right.

The Add Profile wizard opens.

2. Enter a Name an d Comment .


Select the networks that should be allowed to use the Web Filter. By default, the Web Fil-

ter listens for client requests on TCP port8080and allows anyclient from the networks lis-

ted in the Allowed networ ks box to connect.

286 UTM 9 WebAdmin



4. Select the allowed endpo int groups.

If Endpoint Web Control is enabled, select the endpoint groups that should be allowed to

use the Web Filter.

5. HTTPS (SSL) Traffic:

Choose from the following options for scanning SSL traffic:

l Do not Scan: Thisoption is only available in transparent mode. When selected,

HTTPS traffic does not go through the proxy and does not get scanned.

l URL Filtering Only: Thisoption performs URL category and reputation checks,

but does not scan the contents of HTTPS traffic.

l Decrypt and Scan: Chose this option to decrypt and perform full checkson

HTTPS traffic.

6. Select a mode of operation.

Note that when you select an operation mode that requires user authentication, you

need to select the usersand groups that shall be allowed to use the Web Filter. The fol-

lowing modes of operation are available:

l Standard Mode: In standard mode, the Web Filter will listen for client requests on

port 8080 by default and willallow any client from the networks listed in Source net-

works boxto connect. When used in this mode, clients must have specified the

Web Filter as HTTP proxy in their browser configuration.

Select the default authentication mode.








ticate with NTLM or Kerberos.



The agent can be downloaded from the User Portal. See: User Portal.

l App le OpenDirectory SSO: Select when you have configured LDAP on

the Definitions & Users > Authentication Services > Servers tab and you areusing Apple OpenDirectory. Additionally, you have to upload a MAC OS X

UTM 9 WebAdmin 287

9 Web Protection 9.2 Web Filter Profiles




Single Sign-On Kerberos keyfile on the Web Protection > Filtering Options >

Misc tab for the proxy to work properly. When used in this mode, clients

must have specified the Web Filter as HTTP proxy in their browser con-

figuration. Note that the Safaribrowser does not support SSO.

l Basic User Authent ication: In this mode, each client must authenticate

itself against the proxy before using it. For more information about which

authentication methods are supported, see Definitions & Users > Authentic-

ation Services. When used in this mode, clients must have specified the Web

Filter as HTTP proxy in their browser configuration.


in their browser to authenticate themselves at the Web Filter. Thismodeallows for username-based tracking, reporting, and surfing without client-




ref er to chapter Management > Customization >Web Messages.

l eDirecto ry SSO: Select when you have configured eDirectory on the Defin-

itions & Users > Authentication Services > Servers tab.

Note – For eDirectory Single-Sign-On (SSO) modes, the Web Filter caches

accessing IP addresses and credentials for up to fifteen minutes, for Apple

OpenDirectory and Active Director y SSO it caches only the group information.

This isdone to reduce the load on the authentication servers. However it also

means that changes to users, groups, or the login status of accessing users may

take up to fifteen minutes to be reflected bythe Web Filter.

If you chose an authentication mode that requires user authentication, select Block

access on authentication failure to deny accessto users that fail authentication.

l Transparent Mode: In transparent mode, all connections made by client

browser applications on port 80 (and port443 if SSL is used) are intercepted and

redirected to the Web Filter without client-side configuration. The client isentirely

unaware of the Web Filter server. The advantage of this mode is that for many

installations no additional administration or client-side configuration is necessary.

The disadvantage however isthat only HTTP requests can be processed. Thus,

when you select the transparent mode, the client's proxy settings will become inef-

fective.

288 UTM 9 WebAdmin



Note – In transparent mode, the Web Filter will strip NTLM authentication head-

ers from HTTP requests. Furthermore, the Web Filter cannot handle FTP

requests in thismode. If your clients want to access such services, you must open

port (21) in the firewall. Note further that some webservers transmit some data,

in particular streaming video and audio, over a port different from port 80. These

requests will not be noticed when the Web Filter operates in transparent mode.

To support such traffic, you must either use a different mode or enter an explicit

firewall rule allowing them.








ticate with NTLM (or Kerberos if Mac). For some environments additional

configuration is required on the endpoint. If you are having problemswith

SSO in transparent mode, please see: Sophos Knowledgebase Article120791.

Note – When defining the Active Directory user group, we highly recom-

mend to add the desired entries to the Active Directory groups boxby

manuallyentering the plain Active Directory group or user names instead

of the LDAP strings. Example: Instead of an LDAP stringCN=ads_

group1,CN=Users,DC=example,DC=com , just enter the name ads_

group1.

Note – When using Kerberos, only add groups to the Active Directory

groups box, as entries for users are not be accepted by the Web Filter.




in their browser to authenticate themselves at the Web Filter. This modeallows for username-based tracking, reporting, and surfing without client-

UTM 9 WebAdmin 289










refer to chapter Management > Customization >Web Messages.

l Full Transparent (optional): Select to preserve the client source IP instead of

replacing it by the gateway's IP. Thisis useful if your clients use publicIP addresses

that should not be disguised by the Web Filter. The option is only available when

running in bridged mode.

The available authentication modes for F ull Transparent are the same as Trans-

parent . See above.

7. When configured to use authentication, you have the option to Block access on authen-

tication failure. If you are using AD SSO and donot blockaccess on failure, an SSO

authentication failure will allow unauthenticated access without prompting the user. If you

are using Browser authentication and do not block access on authentication failure, there

will be an additional Guest login link on the login page to allow unauthenticated access.

8. Enable Device-specific Authentication.

To configure authentication modes for specific devices, select the Enable Device-specific

Authentication checkbox. Once enabled you can clickthe green Plus icon to add device

types and associated authentication modes.

9. Click Next , o r select Policies from the top of the wizard.

10. Review and create policies for your filter profile.

To create a new policy, proceed as follows:

1. Click the Plus icon on th e upper right.

The Add Policy dialog is displayed.



Users/Groups: Select the users or user groupsthat this policy will apply to. You

can also create a new user or group. How to add a user is explained on the Defin-

itions & Users> Users& Groups > Users page.

Time event: The policy will be active for the time period you select. Choose

Always to enable the policyat all times. You can also click the green Plus icon to cre-

ate a new Time Event. Time period definitions are managed on the Definitions &

Users > Time Period Definitions tab.

290 UTM 9 WebAdmin



Filter action: Select an existing filter action, which defines the types of web pro-

tection you want to apply in a policy. You can also click the green Plus icon to create

a new Filter Action using the Filter Action Wizard . Filter actionscan also be man-aged on the Web Filter Profiles > Filter Actions tab.


Advanced settings: Apply this policy to requests that have skipped authen-

tication due to an exception: You can create Exceptionsin the Filtering Options >

Exceptions page to do things like skip authentication for automatic updaters that

cannot use authentication. If this checkbox is selected then this policy will apply to

web requests that have skipped authentication.

3. Click Save.

The new policy appears at the top of the Policies list.

4. Enable the policy.

The new policy is disabled by default (toggle switch is gray). Clickthe toggle switch

to enable the policy. The policy is now enabled (toggle switch is green).

11. Click Save.

The new profile appearson the Filter Profiles list.

Important Note – When SSL scanning is enabled in combination with the transparent mode,

certain SSL connectionsare destined to fail, e.g. SSL VPN tunnels. To enable SSL VPN con-

nections, add the respective target host to the Transparent Mode Skiplist (see Web Protection

> Filtering Options > Misc ). Furthermore, to access hosts with a self-signed certificate you

need to create an exception for those hosts, selecting the option Certificate Trust Check .The

proxy will then not check their certificates.

To either edit or delete a filter profile, click the name of the profile in the list.

9.2.2 Filter Actions

On the Web Filter Profiles > Filter Actions tab you can create and edit a set of web protection

configuration settings that can be used to customize different types and levels of protection. Fil-

ter actionscan be assigned to different users and user groups, providing a flexible way to con-

trol web access.

UTM 9 WebAdmin 291





You can create a new filter action by clicking the New filter action button, or edit an existing filter

action by clicking the corresponding Edit button. Either of these actions will launch the Filter

Action Wizard. For more information, see Web Protection > Policies > Filter Action Wizard .

On the Web Protection > Web Filter Profiles > Filter Actions page you can also search, clone,

delete or browse the list of existing filter actions.

9.2.3 Parent Proxies

Some network topologies require an upstream web proxy server. On the Web Protection >

Web Filter Profiles > Parent Proxies page you can configure a parent proxy.

To configure a parent proxy, do the following:

1. Click New Parent Proxy .

The Create New Parent Proxy dialog box opens.


Name: Enter a descriptive name for thisparent proxy.


Use proxy for these hosts: Add hosts to this box for which the parent proxy is to be

used, e.g.*.wikipedia.org. Note that you can use pattern matching here. Regular

expressions, however, are not allowed. If you leave the boxempty, an asterisk(*) is auto-

matically added when clicking Save, which matches all hosts. Such a proxy definition can

therefore be regarded as a fallback proxy which matches when none of the other prox-

ies, if existent, do.

Parent proxy: Select or add the network definition of the parent proxy.

Port: The default port for the connection to the parent proxy is 8080. If your parent proxy

requires a different port, you can change it here.

Proxy requires authentication: If the parent proxy requires authentication, select the

checkbox and enter username and password in the appearing textboxes.

3. Click Save.

The new parent proxy appears on the Parent Proxies list.

The proxy can now be used in filter actions or globally.

To either edit or delete a parent proxy, click the corresponding buttons.

292 UTM 9 WebAdmin



9.3 Filtering OptionsOn the Web Protection > Filtering Options page you can configure various optionsto web fil-

tering. The tabs accessible from this page allow you to configure exceptions to filtering, users

that can bypass filtering, filtering categories, HTTPS certificates and authorities, and various

other options.

9.3.1 Exceptions

On the Web Protection > Filtering Options > Exceptions tab you can define whitelist client net-works, users/groups, and domains. All entries contained in these lists can be excluded from cer-

tain web protection services.







Skip These Ch ecks: Select the securitychecksthat should be skipped:

l Authentication: If the Web Filter runsin Authentication mode, you can skip

authentication for the source hosts/networks or target domains.

l Caching: Select to disable caching for specific domains or source hosts/networks.

l Block by download size: Select to disable blocking content according to the size

of the download.

l Antivirus: Select to disable virus scanning, which checks messages for unwanted

content such as viruses, trojan horses and the like.

l Extension blocking: Select to disable the file extension filter, which can be used

to block content that contains certain types of files based on their extensions.

l MIME type blocking: Select to disable the MIME type filter, which can be used to

block content that has a certain MIME type.

UTM 9 WebAdmin 293

9 Web Protection 9.3 Filtering Options



9.3 Filtering Options 9 Web Protection

l URL filter: Select to disable the URL filter, which controls the access to certain

kinds of websites.

l Content removal:Select to bypass the removal of special content in webpagessuch as embedded objects (e.g., multimedia files) or JavaScript.

l SSL scanning: Select to skip SSL scanning for the webpage in request. This is

useful with online banking websites or with websitesthat do not play well with SSL

interception. Note that for technical reasons this option does not work for any trans-

parent Web Filter mode. With transparent mode, use the Transparent Mode

Skiplist instead (see Filtering Options > Misc tab). In standard mode, exceptions

can only be made based on the destination host or IP address depending on what

the client sends. With exceptionsbased on categories, instead of the whole URL,only the hostname will be classified.

l Certificate trust check:Select to skip the trust check of the HTTPS server cer-

tificate. Note that, when the Web Filter works in transparent mode with authen-

tication, skipping the certificate trust check based on a users/groupsmatch (For all

requests Coming from these users/groups) is technicallyimpossible.

l Certificate date check: Select to skip the check of whether the HTTPS cer-

tificate's date is valid.

The following two options are useful if there are persons whose activities must not be

logged at all:

l Accessed pages: Select to not log pages that have been accessed. Those page

requests will also be excluded from reporting.

l Blocked pages: Select to not log pages that have been blocked. Those page

requests will also be excluded from reporting.

Some software updates, and similar typesof downloads, can be interrupted if a progress

page isdisplayed. If you are having problems with software updates, or if some down-

loads never finish, select the following option.

l Do not d isplay Download/Scan progress page: Select to disable down-

loading and scanning progress pages.

For all requests: Select at least one condition for which the security checks are to be

skipped. You can logically combine several conditions by selecting either And or Or from

the drop-down list in front of a condition. The following conditionscan be set:

l Coming from these source networks:Select to add source hosts/networks

that should be exempt from the security checks of this exception rule. Enter the

294 UTM 9 WebAdmin



respective hosts or networks in the Hosts/Networks box that opens after selecting

the condition.

l Coming from these source endpo int groups: Select to add computer groups(see Endpoint Protection > Computer Management > Manage Groups

tab) that should be exempt from the security checksof this exception rule. Enter

the respective groups in the Source Endpoint Groups box that opens after select-

ing the condition.

l Matching these URLs: Select to add target domains that should be exempt

from the security checks of this exception rule. Add the respective domains to the

Target Domains box that opens after selecting the condition. Regular expressions

are allowed here. Example:^https?://[^.]*\.domain.com matches HTTP(S) connections to all subdomains of the domain.



Note – When using Transparent mode with SSL scanning enabled, you need to

enter the target domain(s) as IP addresses. Otherwise the exception will fail for

technical reasons.

l Coming from these user s/groups: Select to add users or user groups that

should be exempt from the securitychecksof this exception rule. Enter the respect-

ive users or groups in the Users/Groups box that opens after selecting the con-

dition. Also, in Standard mode, matching for certain users/groupsdoes not work

due to the missing authentication.

l Going to these categories of websites: Select to skip security checks for cer-

tain categories. Select then the categoriesfrom the list that opens after selecting

the condition.

l Coming from these user agents: Select to skip security checks for for requests

by user agent strings. Regular expressions are allowed.

3. Click Save.



UTM 9 WebAdmin 295







9.3.2 Websites

On the Web Protection > Filtering Options > Websites tab you can maintain lists of sites for which

you want to override the default category or reputation.

To add an entryto the Local Site List :

1. Click the Add Site button.

2. Enter the sites you wish to override.

The text box in the Add Local Site(s) dialog will accept URLs, domains, IP addresses, or

CIDR ranges.

3. Optionally, select the Include subdomains checkbox.

Selecting this checkbox will apply the overrides to all subdomains. For instance, if you add

example.com and select the Include subdomainscheckbox, mail.example.com will be

included in the override.

4. Select a Category o r Reputation to override.

You can override either Category , Reputation, or both. Sites defined in the Local Site List

are processed by filter actions using these overridden values.

5. Add an optional comment.

For large lists of sitesyou can page through entries by using the Next and Previous iconsat the

top of the tab, or search for items using the search text box. To delete entries clickthe Delete

icon next to the entry, or select multiple items and click the Delete icon at the top of the list.

9.3.3 Bypass Users

On the Web Protection > Filtering Options > Bypass Users tab you can specify which users are

allowed to bypass block pages.

To add an existing group or user:

1. Click the Folder icon next to Users/Groups allowed to bypass blocking .

The list of existing users and groups appears in the left navigation pane.

2. Select and drag the user or group to th e Users/Groups allowed to bypass

blocking box.

The item will now be listed on the BypassUsers tab.

To add a new user:

296 UTM 9 WebAdmin



1. Click the green Plus icon next to Users/Groups allowed to bypass blocking .

The Add user dialog appears.

2. Enter user information into the Add User dialog.How to add a user is explained on the Definitions& Users > Users & Groups> Users

page.

3. Click Apply .


9.3.4 Potentially Unwanted Applications

On the Web Protection > Filtering Options> PUAs tab you can maintain lists of authorized Poten-tiallyUnwanted Applications (PUAs). Your UTM can identify applications that are potentially

unwanted in a business environment and block them. To allow specific PUAs when blocking is

enabled, add the name as reported in the block page or the logs.

To addan entryto the Local Site List :

1. Click the Plus icon on the Authorized PUAs list.

2. Enter the PUA definition.

To find PUA definitions, go to Logging & Reporting > Web Protection > Web UsageReport and select PUA Downloaders from the Available Repor ts drop-down.

3. Click Apply .

By clicking the Open Actions menu icon, next to the green Plus icon, you can import or export a

text list of PUAs and clear the Authorized PUAs list.

9.3.5 CategoriesOn the Web Protection > Filtering Options > Categories tab you can customize the mapping of

website categories to category groups, which can be selected on the Filter Action tab or on the

Website Filtering page. Sophos UTM can identify and block access to different categories of

websites. Sophisticated URL classification methods ensure accuracy and completeness in

identifying questionable websites. If a user requests a webpage that is not included in the data-

base, the URL is sent to the web crawlers and classified automatically.

UTM 9 WebAdmin 297





Note – If you are of the opinion that a website is wrongly categorized, you can use the fol-

lowing URL report form to suggest new categories.

To assign website categories to a category group, proceed as follows:

1. Click Edit in the category group you want to edit.

The Edit Filter Category dialog box opens.

2. Select the subcategories.

Select or clear the checkboxes of the subcategories you want to add to or remove from

the group.

3. Click Save.

The group will be updated with your settings.

Alternatively, you can also create a new filter category. Proceed as follows:

1. Click the New Filter Category button on the top of the page.

The Create Filter Category dialog box opens.

2. Enter a name.

Enter a descriptive name for the new filter category.

3. Select the subcategories.

Select the checkboxes of the subcategories you want to add to the group.

4. Click Save.

The group will be updated with your settings.

To either edit or delete a category, click the corresponding buttons.

9.3.6 HTTPS CAs

On the Web Protection > Web Filtering > HTTPS CAs tab you can manage Signing and Veri-

fication Certificate Authorities(CAs) for HTTPS connections.

Signing CA

In this area you can upload your Signing CA certificate, regenerate the Signing CA certificate, or

download the existing Signing CA certificate. By default, the Signing CA certificate is created

according to the information provided during setup, i.e. it is consistent with the information on

the Management > System Settings > Organizational tab—unless there have been any

changes applied since.

298 UTM 9 WebAdmin

http://www.trustedsource.org/en/feedback/url



To upload a new Signing CA certificate, proceed as follows:

1. Click the button Upload .

The Upload PKCS#12 Certificate File dialog window opens.

2. Browse for the certificate to upload.

Click the Folder icon next to the File box, click Browse in the opening Upload File dialog

window, select the certificate to upload and click Start Upload .

You can only upload certificates in PKCS#12 format which are password protected.

3. Enter the password.

Enter the password twice into the corresponding fields and click Save.

The new Signing CA certificate will be installed.

To regenerate your Signing CA certificate, proceed as follows:

1. Click the button Regenerate.

The Create New Signing CA dialog box opens.

2. Change the information.

Change the given information according to your needs and click Save.

The new Signing CA certificate willbe generated. The Signing CA information in the Sign-

ing CA area will change accordingly.

To download the Signing CA certificate, proceed as follows:

1. Click the button Download .

The Download Certificate File dialog window opens.

2. Select the file format to download.

You can choose between two different formats:

l PKCS#12: This format will be encrypted, so enter an export password.

l PEM: Unencrypted format.

3. Click Download .

The file will be downloaded.

If you use certificates for your internal webservers signed by a custom CA, it is advisable to

upload this CA certificate to WebAdmin as Trusted Certificate Authority. Otherwise users will be

prompted with an error message by the Web Filter claiming to be confronted with an untrust-

worthy server certificate.

UTM 9 WebAdmin 299





To facilitate supplying client PCs with the proxy CA certificate, users can download the cer-

tificate themselves via http://passthrough.fw-notify.net and install it in their browser. The web-

site request isdirectly accepted and processed by the proxy. It is therefore necessary to enable

the Web Filter on the Web Filtering > Global tab first.

Note – In case the proxy's operation mode isnot Transparent Mode the proxy has to be

enabled in the user's browser. Otherwise the certificate download link will not be accessible.

Alternatively, if the User Portal is enabled, users can download the proxy CA certificate from the

User Portal, tab HTTPS Proxy .

Preventing HTTPS Problems

When using HTTPS, Windowssystem programslike WindowsUpdate and WindowsDefender

will not be able to establish connectionsbecause they are run withsystem user rights.

However, this user, by default, does not trust the proxy CA. It is therefore necessary to import

the HTTPS proxy CA certificate for the system user. Do the following:

1. In Windows, open the Microsoft Management Console ( mmc).

2. Click on the File menu and then Ad d/Remove Snap-in.

The Add or Remove Snap-ins dialog window opens.

3. Click Add at the bottom of the window.

The dialog window Add Standalone Snap-In opens.

4. Select Certificates from the list and click Add .

A wizard appears.

5. Select Computer account and click Next .

6. Make sure that Local computer is selected and click Finish and then Close.

The first dialog window now contains the item Certificates (Local Computer).

7. Click OK .

The dialog window closes and the Console Root now contains the item Certificates

(Local Computer).

8. In the Console Root window on the left open Certificates > Trusted Root Cer-

tification Authorities, right-click Certificates and select All Tasks > Import

from the context menu.

The import dialog wizard opens.

300 UTM 9 WebAdmin

http://passthrough.fw-notify.net/cacert.pem



9. Click Next .

The next wizard step isdisplayed.

10. Browse to th e previously downloaded HTTPS proxy CA certificate, click Openand then Next .

The next wizard step isdisplayed.

11. Make sure that Place all certificates in the following store is selected and click

Next and Close.

The wizard reports the import success.

12. Confirm the wizard's message.

The proxy CA certificate isnow displayed among the trusted certificates.

13. Save the changes.

Click on the File menu and then Save to save the changeson the Console Root.

After importing, the CA is system-widelyaccepted and connection problems resulting from the

HTTPS proxy should not occur.

Veri ficat ion CAs

This area allows you to manage VerificationsCAs. Those are Certificate Authorities you trust in

the first place, i.e. websites presenting valid certificatessigned by these CAs are regarded trust-

worthy by the HTTPS proxy.

Local Verification CAs: You can upload Verification CAs additionally to the CA list below. Pro-

ceed as follows:

1. Click the Folder icon next to the Upload local CA field.


2. Select the certificate to upload.

Click Browse and select the CA certificate to upload. Only PEM certificate extensions are

supported.

3. Upload the certificate.

Click Start Upload to upload the selected CA certificate.

The certificate will be installed and displayed in the Local Verification CAs area.

Global Verification CAs: The list of Verification CAs shown here isidentical to the Verification

CAs pre-installed by Mozilla Firefox. However, you can disable one or all Verification CAs of the

list if you do not regard them as trustworthy. To revoke a CA's certificate click its toggle switch.

UTM 9 WebAdmin 301





The toggle switch turns gray and the HTTPS proxy will no longer accept websitessigned by this

CA.

Tip – Click the blue Info icon to see the fingerprint of a CA.

The HTTPS proxy will present a "Blocked Content" error page to a client if the CA is unknown or

disabled. However, you can create an exception for such pages: either via the Create Exception

link on the error page of the Web Filter or via the Web Protection > Filtering Options > Excep-

tions tab.

Note – When clicking the Create Exception link on the Web Filter error page a login dialog win-

dow ispresented. Only users with admin rights are allowed to create exceptions.

9.3.7 Misc

The Web Protection > Filtering Options > Misc tab contains various other configuration options

of the Web Filter such as caching, streaming, or port settings.

Misc Sett ings

Web filtering port: Here you can define the port number that the Web Filter will use for client

requests. The default is8080.

Note – This only applies if you do not operate the proxy in transparent mode.

Detect HTTP loopback: This option isenabled by default. Only disable HTTP Loopback

detection if you have a DNAT rule where the UTM is the original destination and the port is 80.

MIME blocking inspects HTTP body: Not only the HTTP header but also the HTTP body ischecked for blocked MIME types. Note that turning on this feature may have a negative impact

on performance.

Block unscannable and encrypted files: Select this option to block files that could not be

scanned. The reason for that maybe, among other things, that files are encrypted or corrupt.

Allowed target services: In the Allowed target services box you can select the target services

the Web Filter should be allowed to access. The default setting consists of target services

(ports) that are usually safe to connect to and which are typically used by browsers, namely

HTTP (port80), HTTPS (port 443), FTP (port21), LDAP (port389), LDAP-SSL (port 636),

302 UTM 9 WebAdmin



Web Filter (port8080), UTM Spam Release (ports 3840-4840), and UTM WebAdmin (port

4444).

Default charset: This option affects how the proxy displays file names in the Download Man-ager window. URLs( and file names that they may reference) that are encoded in foreign char-

setswill be converted to UTF-8 from the charset specified here unless the server sends a dif-

ferent charset. If you are in a country or region that uses a double-byte charset, you should set

this option to the "native" charset for that country or region.

Search domain: You can add an additional domain here, which will be searched when the first

DNS lookup returns no result ("NXDOMAIN"). Then, a second DNS request is initiated which

appends the domain given here to the originalhostname. Example: A user enters

http://wiki, meaning to address wiki.intranet.example.com. However, the URL can only beresolved when you enter intranet.example.com into the Search domain field.

Authentication timeout: This setting allows you to set the length of time (in seconds) that a

user can browse after logging in with browser mode authentication. If the user has a logout tab

open, the user can continue to browse without re-authenticating until that tab is closed, plus the

authentication timeout.

This setting also allows you to set the length of time (in seconds) that a Block Override or a Warn-

ing Proceed lasts.

Authentication realm: The authentication realm is the name of the source which a browser

displays along with the authentication request when the proxy worksin Basic User Authentic-

ation mode. It defines the protection space according to RFC 2617. You can give any string

here.

Transparent Mode Skipl is t

Using thisoption is only meaningful if the Web Filter runs in transparent mode. Hosts and net-

works listed in the Skip transparent mode hosts/nets boxes will not be subject to the transparentinterception of HTTP traffic. There is one boxfor source and one for destination host-

s/networks. To allow HTTP traffic(without proxy) for these hosts and networks, select the Allow

HTTP/S traffic for listed hosts/nets checkbox. If you do not select this checkbox, you must define

specificfirewall rules for the hosts and networks listed here.

Proxy Auto Configurat ion

The proxy auto configuration is a feature that enables you to centrally provide a proxy auto con-

figuration file (PAC file) which can be fetched by browsers. The browsers willin turn configure

their proxy settings according to the details outlined in the PAC file.

UTM 9 WebAdmin 303


http://www.faqs.org/rfcs/rfc2617.html




The PAC file is named wpad.dat , has the MIME typeapplication/x-ns-proxy-

autoconfig and will be provided by the UTM. It contains the information you enter into the text

box, for example:

function FindProxyForURL(url, host)

{ return "PROXY proxy.example.com:8080; DIRECT"; }

The function above instructs the browser to redirect all page requests to the proxy of the server

proxy.example.com on port 8080. If the proxy is not reachable, a direct connection to the Inter-

net will be established.

The hostname can also be written as a variable called ${asg_hostname}. Thisis especially use-

ful when you want to deploy the same PAC file to severalSophos UTM appliances using

Sophos UTM Manager. The variable will then be instantiated with the hostname of the respect-

ive UTM. Using the variable in the example above would look like the following:

function FindProxyForURL(url, host)

{ return "PROXY ${asg_hostname}:8080; DIRECT"; }

To provide the PAC file for your network, you have the following possibilities:

l Providing via browser configuration: If you select the optionEnable Proxy Auto Con-

figuration, the PAC file will be available via the UTM Web Filter under the URL of the fol-

lowing type: http://IP-of-UTM:8080/wpad.dat . To use this file, enter its URL in the

automatic proxy configuration setting of those browsers which are to use the proxy.

l Providing via DHCP: You can have your DHCP server(s) hand out the URL of the PAC

file together with the client IP address. To do that, select the option Enable HTTP Proxy

Auto Configuration in your DHCP server configuration (see chapter Network Services >

DHCP ). A browser will then automatically fetch the PAC file and configure its settings

accordingly.

Note – Providing via DHCP works with Microsoft's Internet Explorer only. Regarding all

other browsers you need to provide the PAC file manually.

URL Categorizat ion Parent Proxy

Enter a proxy server for URL categorization lookups if you do not have direct internet access.

This option is only available if you have endpoint protection enabled, or if you are doing local look-

ups. For local lookups, this option sets the proxy that will be used to download categorization

updates to the UTM.

304 UTM 9 WebAdmin



Web Caching

Enable caching: When thisoption is enabled, the Web Filter keepsan on-disk object cache to

speed up requests to frequently visited webpages.

l Cache SSL content : With this option enabled, SSL-encrypted data will be stored unen-

crypted on disk as well.

l Cache content that contains cookies:Cookies are often used for authentication pur-

poses. With this option enabled, HTTP answers containing cookies will be cached as well.

This may be critical, as users requesting the same page are likely to get the cached page,

containing the cookie of another user.

Important Note – Caching SSL and/or cookie content isan important security issue as

the content isreadable by every user with SuperAdmin rights.

l Force caching for Sopho s Endpoint updates: If enabled, certain data related to

Sophos Auto Update (SAU) requests from endpoints will be cached. We recommend to

enable this feature when using endpoint protection. If disabled, this type of data will not

be cached. Thiscan lead to uplink saturation when many endpoints simultaneously try to

download data from the update servers in the Internet.

Clear Cache: You can delete all cached pages by clicking Clear Cache.

Streaming Sett ings

Bypass content scanning for streaming content: When this option isactive, typical audio

and video streaming content is not subject to content scanning. Disabling this option will effect-

ively disable most media streams, since they cannot be scanned in a reasonable timeframe. It is

therefore recommended to leave this option turned on.

Apple OpenDirectory S ingle S ign-On

When you are using Apple OpenDirectory SSO as authentication method, you need to upload a

MAC OS X Single Sign-On Kerberos keyfile for authentication to work properly. Generate that

keyfile and upload it by clicking the Folder icon. For more information on how to generate that

keyfile please refer to the Kerberos documentation.

Cert i ficate for End-User Pages

The UTM uses HTTPS to provide user notification, perform browser authentication and secure

other user interactions. By default, the UTM uses an automatically generated certificate for these HTTPS connections. You can use this option to use a custom certificate for HTTPS pages

UTM 9 WebAdmin 305




9.4 Policy Test 9 Web Protection

that are presented to the end user. To use your own custom certificate for these HTTPS con-

nections, first upload it using Remote Access > Certificate Management > Certificates, then

select it and update the settings here.

Note –The Hostname: specified is the base domain for the certificate you are using. The

UTM willthen prepend passthrough. or passthrough6. to that domain. The certificate must be

valid for passthrough (and passthough6 ) as a Common Name, Subject Alternate Name, or

most commonlyas a wildcard certificate, so you can prepend anyhost at the domain. In addi-

tion, you must set up DNS for passthroughand passthrough6 to specificIP addresses. If you

use the UTM as your DNS server this is done automatically. If you are using an alternate DNS

server you must create those entries there.

9.4 Policy TestUse the Web Protection > Policy Test page to test URLs against your existing Web Filter

Profiles. To test a URL against your current policy, proceed as follows:

1. Enter the URL you want to test.

2. Set the source IP address.Different source networks may have different Web Filter Profiles. If a networkis included

in more than one profile, the profile with the highest priority will be used by the policy

tester.

3. Optionally, enter a user to test the request as.

Users can fall under different Web Filter Profiles.

4. Optionally, enter a time for the request.

Web Filter Profiles can be configured to have rules based on the time of day.

5. Click Test.

The results of your test parameters willbe displayed in the Policy Test Results box.

Note – When you test a URL against your Web Filter Profiles,the Web Protection > Policy

Test page does not download content, or check for malware, MIME types, or file extensions.

The actual filtering behavior maybe different depending on what content the URL ishosting.

306 UTM 9 WebAdmin



Note – The correct Authentication Server must be added on the Definitions & Users >

Authentication Services > Servers page for the test to work properly.

9.5 Application ControlThe Application Controlfunctionality of UTM allows you to shape and block network traffic

based on the type of traffic. In contrast to the Web Filtering functionality of UTM (see chapter

Web Filtering), the application control classification engine distinguishes network traffic not only

by protocol or by URL but more fine-grained. This is especially useful regarding web traffic:

traffic to websitesnormally uses the HTTP protocol on port 80 or the HTTPS protocol on port

443. When you want to block traffic to a certain website, e.g. facebook.com, you can do that

either based on that website's URL (Web Filtering). Or you can block facebook traffic inde-

pendent from any URL by relying on network traffic classification.

The classification engine of UTM uses layer 7 packet inspection to classify network traffic.

Application control can be used in two ways. In a first step, you need to generally enable applic-

ation control on the Network Visibility page which makes applications "visible" in a way. Now you

can leave it that way (or for a certain time) to see which applicationsare used by your users (e.g.in Flow Monitor, logging, reporting). In a second step you can block certain applicationsand

allow others. This is achieved by rules which can be created on the Application Control Rules

page. Additionally, you can use traffic shaping to privilege traffic of defined applications which

can be configured via Sophos' Quality of Service function.

9.5.1 Network Visibility

On the Web Protection > Application Control > Network Visibility page, you can enable and dis-able application control.

When application control isenabled all network traffic isclassified and logged according to its

classification. Current network trafficcan be viewed via the Flow Monitor with in-depth inform-

ation about its type (see chapter Flow Monitor ). For example information on HTTP traffic is

drilled down to the underlying applications, e.g. "twitter", "facebook", etc. To open the Flow Mon-

itor, select the desired interface in the Flow Monitor section and click theOpen Flow Monitor but-

ton.

UTM 9 WebAdmin 307

9 Web Protection 9.5 Application Control



9.5 Application Control 9 Web Protection

Regarding logging and reporting, there is extensive information available on network traffic and

its classification, as well as clients and servers which use those applications. For more inform-

ation on logging and reporting see chapter Logging & Reporting , section View Log Files for log-

ging and section Network Usage > Bandwidth Usage and Web Protection > Application Control

for reporting.

9.5.2 Application Control Rules

On the Web Protection > Application Control > Application ControlRules page you can create

rules based on network traffic classification which define applications whose traffic should be

blocked or explicitly allowed for your network.

By default, all network traffic isallowed when application control is enabled.

Application control rules can be created either via this page or via the Flow Monitor. The latter

method may be more convenient, however you can only create rules for traffic currently mon-

itored in your network.

To create an application control rule, proceed as follows:

1. On the Application Control Rules tab, click New Rule.

The Create New Rule dialog box opens.


Name (optional): You can enter a name for the rule. If you leave the field empty the sys-

tem is going to generate a name for the rule.



poses, it does not affect rule matching. To create a new group select the <<New group

>> entry and enter a descriptive name in the Name field.




Action: Select whether the trafficis to be blocked or allowed.

Control by: Select whether to control traffic based on its application type or by a

dynamic filter based on categories.

308 UTM 9 WebAdmin



l Applications: The traffic is controlled application-based. Select one or more

applications in the box Control These Applications.

l Dynamic filter: The traffic iscontrolled category-based. Select one or more cat-egories in the box ControlThese Categories.

Control these applications/categories: Click the Folder icon to select applic-

ations/categories. A dialog window opens, which is described in detail in the next section.

Note – Some applications cannot be blocked. Thisis necessary to ensure a flawless

operation of Sophos UTM. Such applications miss a checkbox in the application table of

the Select Application dialog window, e.g. WebAdmin, Teredo and SixXs (for IPv6

traffic), Portal (for User Portal traffic), and some more. When using dynamic filters,

blocking of those applications is also prevented automatically.

Productivity (only with Dynamic filter ): Reflects the productivity score you have chosen.

Risk (only with Dynamic filter : Reflects the risk score you have chosen.

For: Select or add networks or hosts to this box whose network traffic is to be controlled

by thisrule. This applies only to source hosts/networks. How to add a definition is


Log: This option is selected by default and enables logging of traffic which matches the

rule.


3. Click Save.

The new rule appearson the Application Control Rules list.

The Select Appl icat ion or Category D ia log Window

When creating application control rules you need to choose applications or application cat-

egories from a dialog window called Select one or more applications/categories to control .

The table in the lower part of the dialog window displays the applicationsyou can choose from

or which belong to a defined category. By default, all applications are displayed.

The upper part of the dialog window providesthree configuration options to limit the number of

applications in the table:

l Category: Applications are grouped by category. This list contains all available cat-

egories. By default, all categoriesare selected, which means that the table below displays

UTM 9 WebAdmin 309

9 Web Protection 9.5 Application Control



9.5 Application Control 9 Web Protection

all applications available. If you want to limit the displayed applications to certain cat-

egories, click into the category list and select only one or more categories relevant to you.

l Productivity: Applications are also classified by their productivityimpact which means

how much they influence productivity. Example: Salesforce, a typical business software,

hasthe score 5 which means its usage adds to productivity. On the contrary, Farmville,

an online game, hasthe score 1 which means its usage is counterproductive. The net-

work service DNS has the score 3 which means its productivity impact isneutral.

l Risk: Applications are also classified by the risk they carry when used with regard to mal-

ware, virus infections, or attacks. A higher number means a higher risk.

Tip – Each application has an Info icon which, when clicked, displaysa description of the

respective application. You can search the table by using the filter field in the table header.

Now, depending on the type of control you selected in the Create New Rule dialog box, do the

following:

l Controlby dynamic filter: Select the categories from theCategory box and click Apply to

adopt the selected categoriesto your rule.

l Control by application: From the table, select the applications you want to control by click-

ing the checkbox in front. Click Apply to adopt the selected applications to your rule.

After clicking Apply , the dialog window closes and you can continue to edit the settingsof your

application rule.

9.5.3 Advanced

On the Web Protection > Application Control > Advanced page you can configure advanced

options for application control.

Application Control Skiplist

Hosts and networks listed in this boxwill not be monitored by application control and can there-

fore neither be controlled by application control nor by the application selector of Quality of Ser-

vice. This applies both to source and destination hosts/networks.

310 UTM 9 WebAdmin



9.6 FTPOn the Web Protection > FTP tab you can configure the FTP proxy. The File Transfer Protocol

(FTP) is a widely used protocol for exchanging files over the Internet. Sophos UTM presents a

proxy service acting as a go-between for all FTP traffic passing your network. The FTP proxy

provides such usefulfeatures as virus scanning of FTP traffic or blocking of certain file types that

are transferred via the FTP protocol.

The FTP proxy can work transparently, that is, all FTP clients within your network would estab-

lish a connection to the proxy instead of their ultimate destination. The proxy would then initiate

a new network connection on behalf of the request, invisible to the client. The advantage of this

mode isthat no additionaladministration or client-side configuration is necessary.

9.6.1 Global

On the Web Protection > FTP > Global tab you can configure the basic settingsof the FTP

proxy.

To configure the FTP proxy, proceed as follows:

1. On the Global tab, enable the FTP proxy.


The toggle switch turns amber and the FTP Settings area becomes editable.


Select the networks that are allowed to use the FTP proxy.

3. Select an operation mode.

Select an operation mode for the FTP proxy. The following modes are available:

l Transparent: The proxy forwardsthe client request to the target server and

scans the content. No configuration on client side is necessary.

l Non-Transparent: Using this mode you need to configure the FTP clients. Use

the gateway's IP address and port2121.

l Both: This mode allows you to use transparent mode for some clients and non-

transparent mode for others. Configure FTP clients that are to work in non-trans-

parent mode to use a proxy with the gateway'sIP address and port 2121.

UTM 9 WebAdmin 311

9 Web Protection 9.6 FTP



9.6 FTP 9 Web Protection

4. Click Apply .


Note – The FTP proxy is unable to communicate with FTP servers that use Active Directory

authentication. To enable FTP clients to connect to an FTP server of that kind, add the server

to the FTP proxy skiplist, which is configured on the Advanced tab.

9.6.2 Antivirus

The Web Protection > FTP > Antivirus tab contains all measures that can be taken against FTP

traffic that carries harmful and dangerous content such as viruses, worms, or other malware.

Use Antivirus scanning: When selecting this option, FTP traffic will be scanned. Sophos

UTM features several antivirus engines for best security.




using different virus scanners. Note that dual scan is not available with BasicGuard sub-

scription.

Max scanning size: Specify the maximum size of files to be scanned by the antivirus engine

(s). Files exceeding this size will be exempt from scanning.


Note – Files within archives (e.g.zip files) will not be scanned for blocked file types, blocked

extensions or blocked MIME types. To protect your network from these within archived files,

consider blocking archive file types such as zip, rar, etc.

File Extens ion F i lter

Thisfeature filters FTP transfers that transmit certain types of files based on their extensions

(e.g., executable binaries) from web traffic that have a file extension listed in the Blocked File

Extensions box. You can add additional file extensions or delete file extensionsthat are not to be

blocked. To add a file extension, clickthe Plus icon in the Blocked File Extensions box and enter

the file extension you want to block, for example exe (without the delimiting dot). Click Apply to

save your settings.

312 UTM 9 WebAdmin



9.6.3 Exceptions

On the FTP > Exceptions tab you can define whitelist hosts/networksthat should be excluded

from selectable security options offered by the FTP proxy.






Skip these checks: Select the security checks that should be skipped:

l Antivirus checking: Select to disable virus scanning, which checkstraffic for

unwanted content such as viruses, trojan horses, and the like.

l Extension blocking: Select to disable the file extension filter, which can be used

to block file transfers based on file extensions.

l Allowed servers: Select to disable checks for allowed servers which can be set

on the Advanced tab. If selected, the selected client hosts/networkswill have

accessto any FTP server, whereasthe selected server hosts/networkswill be

allowed for any client.

For t hese client h osts/networks: When selecting this option, the Client Host-

s/Networks box opens. Select the client hosts/networksthat should be exempt from the

securitychecks of this exception rule.

OR F or these server hosts/networks: When selecting this option, the Server Host-

s/Networks box opens. Select the server hosts/networks that should be exempt from the

securitychecks of this exception rule.


3. Click Save.



UTM 9 WebAdmin 313

9 Web Protection 9.6 FTP



9.6 FTP 9 Web Protection

9.6.4 Advanced

On the FTP > Advanced tab you can specify hosts and networks that can skip the transparent

mode of the FTP proxy. Additionally, you can define which FTP servers are allowed to be

accessed.

FTP Proxy Sk ipl is t

Hosts and networks (FTP clients as well as FTP servers) listed here are excluded from the

transparent interception of FTP traffic. However, to allow FTP traffic for these hosts and net-

works, select the Allow FTP traffic for listed hosts/nets checkbox. If you do not select thischeck-

box, you must define specific firewall rules for the hosts and networks listed here.

Note – The FTP proxy is unable to communicate with FTP servers that use Active Directory

authentication. To enable FTP clients to connect to an FTP server of that kind, add the server

to the FTP proxy skiplist.

FTP Servers

Select or add FTP servers or networks that are allowed to be accessed from your host-

s/networks. You can create exceptions for some FTP clients or FTP servers to bypass this list

on the Exceptions tab.

314 UTM 9 WebAdmin



10 Email ProtectionThischapter describes how to configure basicemail protection features of Sophos UTM. The

Email Protection Statistics page in WebAdmin shows an overview of today's top ten email

senders, email recipients, spammers (by country), recognized malware, and concurrent con-

nections. Each of the sections contains a Details link. Clicking the link redirects you to the respect-

ive reporting section of WebAdmin, where you can find more statistical information.


l SMTP

l SMTP Profiles

l POP3

l Encryption

l SPX Encryption

l Quarantine Report

l Mail Manager

10.1 SMTPThe menu Email Protection > SMTP allows you to configure the SMTP proxy. SMTP is the

abbreviation of Simple MailTransfer Protocol , a protocol used to deliver emails to a mail server.

Sophos UTM includes an application level gateway for SMTP, which can be used to protect

your internalmail server from remote attacks and additionallyprovides powerful virus scanning

and emailfiltering services.

Note – To use the SMTP proxy correctly, a valid name server ( DNS) must be configured.

10.1.1 Global

On the Email Protection > SMTP > Global tab you can decide whether to use Simple Mode for

SMTP configuration or Profile Mode.



10.1 SMTP 10 Email Protection

1. Enable SMTP.


The toggle switch turns green and the Configuration Mode area becomes editable.

2. Select a configuration mode.

Simple Mode: Use this mode if all domains share the same settings. However, you can

stilldefine exceptionsbased on domain name, email addresses, and hosts. There is no

functionality restriction compared with Profile Mode.

Profile Mode: (Not available with BasicGuard subscription.) In this mode you can over-

ride or extend globalsettings e.g., of antispam and antivirus, for individual domains or

domain groups by creating profiles for them in the menu SMTP Profiles. Settings made in

the SMTP menu still apply to their assigned domains and, moreover, serve as defaults for

profiles. In Profile Mode, you willfind additional notes with some of the settingsregarding

recommendations for profile mode and behavior of the UTM.

3. Click Apply .

The selected mode will be enabled.

SPX Globa l Template

If SPX Encryption is enabled, thissection isavailable. From the drop-down list, select the SPX

template that will be globally used. If using SMTP Simple mode, this template will be used for all

SMTP users. If using SMTP Profile mode, thistemplate will be used for all SMTP profiles that do

not have an individualSPX template selected.

L ive Log

The SMTP Live Log logs the SMTP proxy activities, showing all incoming emails. Click the but-

ton to open the live log in a new window.

10.1.2 Routing

On the Routing tab you can configure domain and routing targets for the SMTP proxy and

define how recipients are to be verified.

To configure the SMTP proxy routing, proceed as follows:

1. Enter your internal domain(s).

To enter your email domains, click the Plus icon in the Domains box.

316 UTM 9 WebAdmin



In the appearing text box, enter the domain in the formexample.com and click Apply .

Repeat this step until all domains are listed. You can also use wildcards in different ways.

For example *.me.mycompany.de, *.mycompany.de, *.me*.mycompany.*e,**.mycompany.*. It is not allowed to use only '*'.

In Profile Mode: Enter only domains that use global settings. All other domains should be

listed in their respective profiles.

2. Specify the internal server.

From the drop-down list Route by , select the host to which emails for the domains listed

above should be forwarded to. A typical target host would be the Microsoft Exchange

Server on your local network. You can choose between different server types:

l Static host list: Select a host definition of the target route in the Host list box.

Note that you can select several host definitions for basic failover purposes. If deliv-

eryto the first host fails, mail will be routed to the next one. However, the (static)

order of hosts cannot be determined with the current version of Sophos UTM and

is somewhat accidental. To randomize delivery to a group of hosts so as to addi-

tionally achieve basic load balancing capability, use the DNS hostname route type

and specify a hostname that hasmultiple A records (an A record or address record

maps a hostname to an IP address).

l DNS hostname: Specify the fully qualified domain name (FQDN) of your target

route (e.g.,exchange.example.com). Note that when you select a DNS name

having multiple A records, mail to each server will be delivered randomly. In addi-

tion, if one server fails, all mail destined for it will automatically be routed to the

remaining servers.

l MX records: You can also route mail to your domain(s) by means of MX record

(s). If you select this route type, the mail transfer agent of Sophos UTM makes a

DNS query requesting the MX record for the recipient's domain name, which is the

portion of the email address following the "@" character. Make sure that the gate-way isnot the primary MX for the domain(s) specified above, since it will not deliver

mail to itself.

3. Click Apply .


Recipient Verificat ion

Verify Recipients: Here you can specify whether and how email recipients are to be verified.

UTM 9 WebAdmin 317

10 Email Protection 10.1 SMTP




l With Callout: A request is sent to the server to verify the recipient.

l In Active Directory: A request is sent to the Active Directory server to verify the recip-

ient. To be able to use Active Directory you must have an Active Directory server spe-

cified in Definitions & Users > Authentication Services > Servers. Enter a base DN into the

Alternative Base DN field.

Note – The use of Active Directory recipient verification may lead to bounced mes-

sages in case the server does not respond.

l Off: You can turn off recipient verification completely but this isnot recommended for it

will lead to higher spam traffic volume and dictionary attacks. Thus your quarantine is

likelyto be flooded with unsolicited messages.


10.1.3 Antivirus

The Antivirus tab contains various measures against emailsthat carry harmful and dangerous

content such as viruses, worms, or other malware.

Note – Outgoing emails will be scanned if the checkbox Scan relayed (outgoing) messages

on the Relaying tab is selected.

Scan Dur ing SMTP Transact ion

Select the checkbox Reject malware during SMTP transaction if you want to have messages

scanned already during SMTP transaction and to have them rejected in case they contain mal-

ware.

In Profile Mode: This setting cannot be changed per profile. Messages with more than one recip-ient will skip this feature if one of the recipient profiles has Antivirus Scanning turned off. This

means it is advisable to leave the regular antivirus setting below set to either Blackholeor Quar-

antine.


Antivirus Scanning

When using this option, emailswill be scanned for unwanted content such as viruses, trojan

horses, or suspicious file types. Messages containing malicious content will be blocked andstored in the email quarantine. Users can review and release their quarantined messages

318 UTM 9 WebAdmin



either through the Sophos User Portal or the daily Quarantine Report. However, messages con-

taining malicious content can only be released from the quarantine by the administrator in the

MailManager .

Antivirus: You can configure how to proceed with messages that contain malicious content.

The following actions are available:

l Off: There will be no antivirus scans.

l Blackhole: Incoming messages will be accepted and instantly removed. Outgoing mes-

sages will never be blackholed to avoid unintended mail loss. They will be quarantined

instead.

l Quarantine: The message willbe blocked and stored in the email quarantine. Quar-

antined messages can be reviewed either through the User Portal or the dailyQuar-

antine Report. Note that messages containing malicious content can only be released

from the quarantine by an administrator.

Sophos UTM features several antivirus engines for best security:




using different virus scanners. Note that dual scan isnot available with BasicGuard sub-

scription.

Quarantine unscannable and encrypted content: Select this option to quarantine emails

whose content couldnotbescanned. Unscannable content may be encrypted or corrupt

archives or oversized content, or there may be a technical reason like a scanner failure.


MIME Type F ilt er

The MIME type filter reads the MIME type of email contents. You can define how the different

MIME types are to be dealt with.

l Quarantine Audio Content: When you select this checkbox audio content like e.g.,

mp3 or wav files, will be quarantined.

l Quarantine Video Content : When you select this checkbox video content like e.g.,

mpg or mov files, will be quarantined.

l Quarantine Executable Content : When you select this checkbox executable content

like e.g., exe files, will be quarantined.

UTM 9 WebAdmin 319





Additional types to quarantine: To add a MIME type other than above that shall be quar-

antined, click the Plus icon in the Additional Types To Quarantine boxand enter the MIME type

(e.g.,image/gif). You can use wildcards (*) on the right side of the slash, e.g.,

application/*.

Whitelisted content types: You can use this box to allow generally certain MIME types. To

add a MIME type click the Plus icon in the Whitelisted content types box and enter the MIME

type. Click Apply to save your settings.

MIME type MIME type class

audio/* audio files

video/* video files

application/x-dosexec

applications

application/x-msdownload

application/exe

application/x-exe

application/dos-exe

vms/exe

application/x-winexe

application/msdos-windows

application/x-msdos-program

Table 2: MIME types known by the MIME Type Filter


Thisfeature filters and quarantines emails (with warnings) that contain certain types of files

based on their extensions (e.g., executables). To add file extensions, click the Plus icon in the

Blocked file extensions boxand enter a critical file extension you want to be restricted, e.g.,exe

or jar (without the dot delimiter). Click Apply to save your settings.

Note – Archives cannot be scanned for forbidden file extensions. To protect your network

from malware included in archives you might want to consider blocking the respective archive

file extensions altogether.

320 UTM 9 WebAdmin



Ant ivi rus Check Footer

For each outgoing email, you can add and customize a special footer informing users that the

email hasbeen scanned for malicious content. However, the footer will only be added if the

checkbox Scan Relayed (Outgoing) Messages on the Relaying tab is selected. In addition, the

antivirus check footer willnot be appended to the email if the email isa reply (i.e. having In-

Reply-To header) or if the content type of the email could not be determined. Activate the check-

mark Use the Text Below as a Footer and enter the footer text.Click Apply to save your settings.

Note – Adding a footer to messages already signed or encrypted by an email client (e.g.,

Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render them

invalid. If you want to create digital signatures on the client side, disable the antivirus check

footer option. However, if you do not wish to forgo the privacy and authentication of your email

communication and still want to apply a general antivirus check footer, consider using the built-

in email encryption feature of Sophos UTM. Email encryption done on the gateway means

that the footer is added to the message prior to creating the digital signature, thus leaving the

signature intact.

10.1.4 AntispamSophosUTM can be configured to detect unsolicited spam emails and to identify spam trans-

missions from known or suspected spam purveyors. Configuration options located on the Antis-

pam tab let you configure SMTP security features aimed at preventing your network from receiv-

ing unsolicited commercialemails.

Note – Outgoing emails will be scanned if the checkbox Scan relayed (outgoing) messages

on the Relaying tab is selected.

Note – Some of the features on this tab are not available with BasicGuard subscription.

Spam Detect ion During SMTP Transact ion

You have the possibility to reject spam already during SMTP transaction. Select one of the fol-

lowing settings for the option Reject at SMTP Time:

l Off: Spam detection is disabled and no email is going to be rejected for spam reasons.

l Confirmed spam:Only confirmed spam is rejected.

UTM 9 WebAdmin 321





l Spam: All emails that the system regards as spam are rejected. Note that there may be a

higher false positive rate because emailsregarded as probable spam may be rejected

such as newsletters.

Emails which are not rejected during SMTP transaction will be treated according to your set-

tingsin the Spam Filter section below.

In Profile Mode: This setting cannot be changed per profile. Messages with more than one recip-

ient will skip this feature if one of the recipient profiles hasspam scanning completely turned off.

This means it is advisable to leave the regular spam scanning setting set to either Spam or Con-

firmed spam.

RBLs Real time Blackhole L is ts )

A Realtime Blackhole List (RBL) is a means by which an Internet site may publish a list of IP

addresses linked to spamming.

Use recommended RBLs: Selecting this option causes the mail transfer agent to query

externaldatabases of known spam senders (so-called Realtime Blackhole Lists). Messages

sent from a site included in one or more of such lists can easily be rejected. Severalservices of

this type are available on the Internet. This function massively helps to reduce the amount of

spam.

By default, the following RBLs are queried:

l Commtouch IP Reputation (ctipd.org)

l cbl.abuseat.org

Note – The list of RBLs queried by Sophos UTM is subject to change without notice. Sophos

does not warrant for the contents of these databases.

You can also add further RBL sites to enhance the antispam capability of Sophos UTM. To do

so, clickthe Plus icon in the Extra RBL zonesbox. In the appearing textbox, enter the RBL zone.


Spam Fi lter

Sophos UTM includes a heuristic check of emails for characteristics suggestive of spam. It uses

SMTP envelope information and an internaldatabase of heuristictests and characteristics. This

spam filtering option scores messages based on their content and SMTP envelope information.

Higher scores indicate a higher spam probability.

322 UTM 9 WebAdmin



With the following two optionsyou can specify what to do with messagesthat have been

assigned a certain spam score. Thisensures that potential spam emailsare treated differently

by the gateway.

l Spam action: Here you can define what to do with messagesthat are classified as prob-

able spam. Note that there may be false positives, such as newsletters, thus blackholing

maylead to email loss.

l Confirmed spam action: Here you can define what to do with confirmed spam mes-

sages.

You can choose between different actionsfor those two typesof spam:

l Off: No messages will be marked as spam or filtered out.

l Warn: No messages will be filtered out. Instead, for incoming messages, a spam flag will

be added to the message's header and a spam marker will be added to the message's

subject. Outgoing messages will be sent without action.

l Quarantine: Messages will be blocked and stored in the email quarantine. Quarantined

messages can be reviewed either through the User Portal or the daily Quarantine

Report.

l Blackhole: Incoming messages will be accepted and instantly removed. Outgoing mes-

sages will never be blackholed to avoid unintended mail loss. They will be quarantinedinstead.

Spam marker: With this option you can specify a spam marker, that is, a string that willbe

added to the message's subject line making it easy to identify spam messages quickly. By

default, the string*SPAM* is used to tag messages as spam.

Sender Blacklist

The envelope sender of incoming SMTP sessions will be matched against the addresses on this

blacklist. If the envelope sender isfound on the blacklist the message will be rejected in

SMTP time. Settings in the Reject at SMTP Time field do not affect this function.

To add a new address pattern to the blacklist click the Plus icon in the Blacklisted Address Pat-

terns box, enter (a part of) an address, and click Apply . You can use an asterisk (*) as a wild-

card, e.g., *@abbeybnknational.com.

Tip – End-users can create their personalblacklist and whitelist in the User Portal.

UTM 9 WebAdmin 323





Expression Fi l ter

The expression filter scans messages' content passing through the SMTP proxy for specific

expressions. Suspicious emailswill be blocked. Expressions can be entered as Perl Compatible

Regular Expressions. Simple stringssuch as "online dating" are interpreted in a case-insens-

itive manner. Click Apply to save your settings.

Cross Reference – For detailed information on using regular expressions in the expression

filter, see the Sophos Knowledgebase.

Advanced Ant ispam Features

Thisarea gathers various other advanced options increasing the antispam capability of Sophos

UTM.

Reject invalid HELO/missing RDNS: Select this option if you want to reject hosts that send

invalid HELO entries or lack RDNS entries. If you want to exempt hosts from this check, please

refer to the Exceptions tab.

Do strict RDNS checks: Select this option if you want to additionally reject mail from

hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does

not resolve back to the originalIP address.

Use Greylisting: Greylisting basically means the temporary rejection of emailsfor a certain

amount of time. Typically, a mail server using greylisting will record the following pieces of inform-

ation for all incoming messages:

l The sender address

l The IP address of the host the message is sent from

l The recipient address

l The message subject

This data set is checked against the SMTP proxy's internaldatabase; if the data set has not

been seen before, a record is created in the database along with a special time stamp describ-

ing it. This data set causes the email to be rejected for a period of five minutes. After that time

the data set is known to the proxy and the message will be accepted when it is sent again. Note

that the data set willexpire after a week if it is not updated within this period.

Greylisting uses the fact that most senders of spam messages use software based on the "fire-

and-forget" method: Try to deliver the mail and if it doesn’t work, forget it! This means thatsenders of spam mail do not tryto send emails again when there is a temporary failure, contrary

324 UTM 9 WebAdmin




to RFC-conform mail servers. The assumption is that since temporary failuresare built into the

RFC specifications for email delivery, a legitimate server will try again to send the email later, at

which time the destination will accept it.

Use BATV: BATV is a draft of the IETF, facing the challenge to distinguish legitimate uses from

unauthorized uses of email addresses. BATV providesa method to sign the envelope sender of

outgoing mail by adding a simple shared key to encode a hash of the address and time-varying

information as well as some random data proving that the emailwas reallysent by you. It isbasic-

allyused to reject bounce messagesnot sent by you. By using BATV, you can now check if

bounces you receive are really caused by your initial email, and not from a spammer forging an

email with your address. If a bounce returns and the email address is not signed according to

BATV, the SMTP proxy will not accept the message. Note that the signature provided by BATV

expires after seven days. To change the key (also known as BATV secret ) that is used to

encode the hash of an email's envelopeMAIL FROMaddress, go to the Email Protection >

SMTP > Advanced tab.

Note – Some mail transfer agents may reject a message whose envelope sender address

was modified using BATV. In this case, you need to create an exception rule for the senders,

recipients, or domains affected.

Perform SPF check: SPF (Sender Policy Framewor k ) isa framework where domain owners

can publish information about their outgoing email servers. Domains use public records to direct

requests for different services (web, email, etc.) to the machines that perform those services. All

domains already publish MX records for email related services to let others know what

machines receive mail for the domain. SPF worksby domains publishing some sort of "reverse

MX" records to tell the world what machines send mail from the domain. When receiving a mes-

sage from a certain domain, the recipient can check those records to make sure that mail is com-

ing from where it should be coming from.

Cross Reference – Further information is available at the Sender Policy Framework web-

site.

As an additional antispam feature, the SMTP proxy tacitly checks each recipient address it

receives with your backend mail server(s) before accepting mail for this address. Emails for

invalid recipient addresses will not be accepted. In order for this function to work, your backend

mail server(s) must reject mails for unknown recipients at the SMTP stage. The general rule is

that if your backend server rejects a message, the SMTP proxy will reject it, too.

UTM 9 WebAdmin 325


http://www.openspf.org/

http://www.openspf.org/




Note, however, that recipient verification is not done for trusted (authenticated) or relay hosts,

because some user agents may encounter problems when recipientsget rejected in the SMTP

transaction. In the usual scenario (backend mail server rejects unknown recipientsin the SMTP

transaction), Sophos UTM will only generate bounces in the following cases:

l When a trusted or relay source sendsa message to an undeliverable recipient.

l When the backend mail server has been down so that Sophos UTM was not able to verify

the recipient.

However, Sophos UTM does not prevent your backend mail server(s) from sending non-deliv-

ery reports (NDRs) or bounces. In addition, Sophos UTM caches positive callout replies from

the mail server for 24 hours, and negative ones for two hours.

10.1.5 Data Protection

On the SMTP > Data Protection tab, the Data Protection feature allows you to reduce acci-

dental data loss from workstations by monitoring and restricting the transfer of files containing

sensitive data. Accidental data loss is commonly caused by employees mishandling sensitive

data. For example, a user sends a file containing sensitive data home via email (SMTP). Data

Protection scans outgoing emailsincluding subject line, message body and attachments for

sensitive or confidential information. Based on the outcome, the email can be encrypted usingSPX encryption, or the email can be rejected or sent.

To configure Data Protection, define the settingsin the following sections. As long as no Sophos

content control rule is selected, and no custom rule is defined, the feature isdisabled.

Data Protect ion Pol icy

Scan within attachments: If selected, attachments will be scanned for sensitive data, addi-

tionallyto the message itself. This scan uses the SAVI engine and scans a large variety of files

typesdependent on the current database.

Action on rule match: Select how to handle an email if the policy istriggered:

Blackhole: An email that triggers the policy will not be sent.

Send with SPX encryption: An email that triggers the policy will automatically be sent

SPX encrypted (see EmailProtection > SPX Encryption tab). If SMTP is used in Simple

Mode, the SPX Template selected on the SMTP > Global tab willbe used for SPX encryp-

tion. If SMTP is used in Profile Mode, the SPX template used depends on the SMTP pro-

file the sender's domain is assigned to (see SMTP Profiles tab). If the sender's domain is

326 UTM 9 WebAdmin



not assigned to anyprofile, the default template selected on the SMTP > Global tab willbe

used.

Allow: An email that triggers the policy will be sent nevertheless.

On match, notify: Select if you want to notify:

l the email sender,

l the administrator,

l other,

l or all of them.

Next to other you have to enter a email address. The notification emailcan be customizedon the Management > Customization > EmailMessages tab.


Sophos Content Cont ro l L is ts Rules

Type: Select an entry from the drop-down list to reduce the number of displayed rules accord-

ingly.

Region: Select an entry from the drop-down list to reduce the number of displayed rules

accordingly.

Show selected only: If enabled, only selected rules will be displayed in the list.

Rules: Select the rules you want to use for the Data Protection feature. Hovering the cursor on

an entry, a tool-tip with additional information concerning the rule appears.


Custom Rules

Custom expression: Enter expressionsthat you want to use for the Data Protection feature,

in addition to the rules selected above. You can add regular expressions.

Cross Reference – For detailed information on using regular expressions here, see the

Sophos Knowledgebase.


UTM 9 WebAdmin 327









10.1.6 Exceptions

On the SMTP > Exceptions tab you can define whitelist hosts, networks, senders, and recipients

that can be excluded from antispam, antivirus, or other securitychecks.

Note – Since emailscan have many recipients, and Sophos UTM implements inline scanning

for the SMTP protocol, scanning of an email is skipped for all recipients if one of the email's

recipientsis listed in the Recipients box.






Skip these checks: Select the securitychecks that should be skipped. For more inform-

ation, see Email Protection > SMTP > Antivirus, Antispam, and Data Protection.

For these source hosts/networks: Select or add the source hosts/networks (i.e., the

host or network messages originate from) that should skip the security checks defined by

this exception rule. How to add a definition is explained on the Definitions& Users > Net-


Note – No exception needs to be created for localhost because local messages will not

be scanned by default.

When selecting this option, the Hosts/Networks box opens. You can add a host or net-

work by either clicking the Plus icon or the Folder icon.

OR th ese sender addresses: Select the senders' email addresses that should skip the

defined security checks.When selecting thisoption, the Senders box opens. You can

either enter a complete valid email address (e.g.,[email protected]) or all email

addresses of a specific domain using an asterisk as wildcard (e.g.,*@example.com).

328 UTM 9 WebAdmin



Note – Use the Senders option with caution, as sender addresses can easily be

forged.

OR these recipient addresses: Select the recipients' email addresses that should skip

the defined security checks.

When selecting this option, the Recipients box opens. You can either enter a complete

valid email address (e.g.,[email protected]) or allemail addresses of a specific

domain using an asterisk as wildcard (e.g.,*@example.com).


3. Click Save.



10.1.7 Relaying

The SMTP proxy can be used as a mail relay. A mail relay is an SMTP server configured in such

a way that it allows specific users, user groups, or hosts to relay (i.e., send) emails through it todomains that are not local.

Note – Some of the features on this tab are not available with BasicGuard subscription.

Upst ream Host L is t

An upstream host is a host that forwar ds email to you, e.g., your ISP or external MX. If you get

inbound email from static upstream hosts, it is necessary that you enter the hosts here. Other-

wise spam protection will not work properly.

To add an upstream host either clickthe Plus icon or the Folder icon for drag-and-drop from the

Networks object list. How to add a definition is explained on the Definitions& Users > Network

Definitions > Network Definitions page. If you would like to only allow upstream hosts select the

checkbox Allow upstream/relay hosts only . SMTP access willthen be limited to the defined

upstream hosts. Upstream hosts can authenticate to get relaying rights. Click Apply to save your

settings.

UTM 9 WebAdmin 329





Authenticated Relay

SMTP clients can authenticate to get relaying privileges. Select the checkbox Allow authen-

ticated relaying and specify the users and user groups that should be able to use this feature.

How to add a user is explained on the Definitions & Users > Users & Groups > Users page. Click

Apply to save your settings.

Note – If the checkbox Allow upstream/relay hosts only is enabled then Authenticated Relay

does onlywork when the sending host is configured as upstream/relay host.

Host-based Relay

Mail relaying can also be enabled host-based. If your local mail server or mail clients should be

able to use the SMTP proxy as a mail relay, you need to add the networks and hosts which

should be able to send mail through the relay to the Allowed hosts/networks box. The networks

and hosts listed are allowed to send messagesto anyaddresses. How to add a definition is


Caution – It is extremely important not to select Any in the Allowed hosts/networks box,

because thiswould result in an open relay, allowing anyone on the Internet to send messages

through the SMTP proxy. Spammers will quickly recognize this, leading to massive email

traffic. In the worst case, you will be listed on 3rd party spammer blacklists. In most con-

figurations, the only hosts that should be allowed to relay mail are the mail servers in your net-

work.


Host/Network Blacklist

Here you can define hosts and networks that shall be blocked by the SMTP proxy. Click Apply tosave your settings.

Content Scan For Re layed Messages

When this option is enabled, also messages sent by either authenticated or host-based relays

will be scanned for malicious content. If there are many outgoing mails, turning this option off

can improve your performance. Click Apply to save your settings.

330 UTM 9 WebAdmin



Note that your global antivirus and antispam settings also apply to outgoing messages. But

regardless of those settings, infected or spam messages are never blackholed but always sent

to quarantine to avoid unintended mail loss.

10.1.8 Advanced

On the SMTP > Advanced tab you can configure additional security optionsof the SMTP proxy

such as smarthost settings or transparent mode skiplist, among others.

Parent Proxy

A parent proxy is often required in those countries that require Internet access to be routed

through a government-approved proxy server. If your security policy requires the use of a par-

ent proxy, you can set it up here by selecting the host definition and port.

Use a parent proxy:

1. Select the checkbox to enable parent proxy use.

2. Select or add the host.

3. Enter the port of the proxy.


Network Definitions page.

4. Click Apply .


Proxy requires authentication: If the parent proxy requires authentication, enter username

and password here.

Transparent Mode

To enable transparent mode for SMTP select the checkboxand click Apply .Hosts and networks listed in the Skip transparent mode hosts/nets box will not be subject to the

transparent interception of SMTP traffic. However, to allow SMTP traffic for these hosts and net-

works, select the Allow SMTP traffic for listed hosts/nets checkbox. If you do not select this check-

box, you must define specific firewall rules for the hosts and networks listed here. Click Apply to

save your settings.

TLS Sett ings

TLS certificate: Select a certificate from the drop-down list which willbe used to negotiate TLS

encryption with all remote hosts supporting it. You can create or upload certificates on the Site-

UTM 9 WebAdmin 331





to-site VPN > Certificate Management > Certificates tab.

Require TLS negotiation host/nets: Add or select hosts or nets here which always require

TLS encryption for email communication. The UTM will then hold back emails if TLS encryptionisnot available for those hosts/nets for some reason, that means messages will stay in the mail

queue until TLS becomes available again. In case TLS is not available within a reasonable

period of time, sending attempts will be stopped and the user willget a notification that their

email could not be sent.

Require TLS negotiation sender domains: If you want to enforce TLS encryption for

incoming emails for certain domains, enter those domains here. Emails sent from those

domains without TLS will be rejected immediately.

Skip TLS negotiation host/nets: If a particular host or network should encounter problems

with TLS encryption, you can enter it in the boxand select the appropriate TLS certificate from

the drop-down menu. This will cause the UTM to skip TLS negotiation for this host or network.


Domain Keys Ident ifi ed Mai l DKIM)

DKIM is a method to cryptographically sign outgoing messages. To use DKIM signing, enter

your private RSA key and the corresponding key selector into the respective fields and add the

domains you want to sign emails for to the DKIM domains box. Click Apply to save your settings.

Conf ident ial ity Footer

For each outgoing email, you can add and customize a confidentiality footer informing users, for

example, that the email may contain confidential or privileged information. However, the con-

fidentiality footer will not be appended to the email if the emailis a reply (i.e. having an In-Reply-

To header) or if the content type of the email could not be determined.

Note – Adding a footer to messages already signed or encrypted by an email client (e.g.,Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render them


footer option. However, if you do not wish to forgo the privacy and authentication of your email



that the footer isadded to the message prior to creating the digital signature, thus leaving the

signature intact.

332 UTM 9 WebAdmin



Advanced Sett ings

Here you can configure the SMTP hostname and the postmaster address, among other things.

SMTP hostname: Setting the SMTP hostname will cause the proxy to use the specified name

in HELO and SMTP banner messages. By default, the normalsystem hostname is selected.

Postmaster address: Specify the emailaddress of the postmaster of the UTM to whom mes-

sagesare to be forwarded that are sent in the form of postmaster@[192.168.16.8], where

the IP literal address isone of the IP addresses of the UTM. Accepting such messages is an

RFC requirement.

BATV secret: Here you can change the automatically generated BATV secret used by the

SMTP proxy. The BATV secret is a shared key used to sign an email's envelopeMailFrom

address, thusenabling detection of invalid bounce addresses. If you are using several MXsfor

your domains, you can change the BATV secret to be the same on all systems.

Max message size: The maximum message size that is accepted by the proxy. This setting

applies to both incoming and outgoing emails. If your backend server has a limitation with

regard to message sizes, you should set the same or a lower value here.

Max connections: The maximum number of concurrent connections the proxy allows.

Default is 20.

Max connections/host: The maximum number of connections per host the proxy allows.

Default is 10.

Max mails/connection: The maximum number of mails per connection the proxy allows.

Default is 1000.

Max rcpt/mail: The maximum number of recipientsper mail the proxy allows. Default is100.

Foot ers mode: Here you can define how footers will be added to mails. MIME part will add the

footer as extra MIME part. Existing part encodings are not changed and nationallanguage char-

acters are preserved. The other method is Inline which means that the footer is separated from

the main mail by the --separator. With this mode you can choose whether the footer should be

Unicode (UTF-8) converted or not. Unicode conversion upgrades the message to preserve

national language characters in the footer.

Smarthost Settings

A smarthost is a type of mail relay server which allows an SMTP server to route mail to an

upstream mail server rather than directly to the recipient’s server. Often this smarthost requires

UTM 9 WebAdmin 333




10.2 SMTP Profiles 10 Email Protection

authentication from the sender to verifythat the sender has privilegesto have mail forwarded

through the smarthost.

Use a smarthost: If you want to use a smarthost to send mail, select the checkbox. In thatcase, the proxy will never deliver mail itself, but rather send anything to the smarthost.

l Smarthost: Select or add a smarthost object. How to add a definition isexplained on the


l Smarthost port: The default port for the smarthost connection is 25. You can change it

if required.

l This smarthost requires authentication: Select this checkbox if the smarthost

requires authentication. Both Plain and Login authentication types are supported. Enter

a username and password into the respective fields.

10.2 SMTP ProfilesThe SMTP proxy of Sophos UTM letsyou create alternative SMTP profiles, which can then be

associated with different domains. That way you can specify domains that should use a different

profile other than the default profile configured in Email Protection > SMTP . The order of the

functions, structured as tabs, reflects how each step getsprocessed one after the other duringSMTP time.

To create an SMTP profile, proceed as follows:

1. Enable the SMTP profile mode.

On the Email Protection > SMTP > Global tab select Profile Mode and click Apply .

The SMTP profiles creation in the EmailProtection > SMTP Profiles menu isenabled.

2. On the SMTP Profiles tab, click New Profile.

A dialog box opens.

3. Enter a descriptive name for the profile.

4. Add one or more domains.

Add one or more domains to the Domains box.

Settings of this profile will be applied for those domains.


You only need to make settings for functions you want to use. For each of the following

functions you can decide whether to use individualsettings defined here or global settings

334 UTM 9 WebAdmin



defined under Email Protection >SMTP . By default, the globalsettings option is selected.

The individualsettings for each function are described below.

Note – Encrypted emailswhose sender address includesa domain name configured

here cannot be decrypted when using the email encryption/decryption engine of

Sophos UTM. Therefore, no profile should be added for external email domains.

All settings that you can define here can also be set globally in EmailProtection > SMTP .

Therefore only a list of settings and the differences from the global settingsare given

here, along with cross-references to the respective globalsetting where detailed inform-

ation can be found.

The following settings can be made:

l Routing: On the Routing tab you can configure domain and routing targets for

the SMTP proxy and define how recipients shall be verified.

l Static Host List

l DNS Hostname

l MX Records

For detailed information please refer to Email Protection > SMTP > Routing .

l Recipient Verification

Verify Recipients: Here you can specify whether and how email recipients are to

be verified.

l With Callout: A request is sent to the server to verify the recipient.

l In Active Directory: A request is sent to the Active Directory server to

verify the recipient. To be able to use Active Directory you must have an Act-

ive Directory server specified in Definitions & Users > Authentication Ser-vices > Servers. Enter a base DN into the Alternative Base DN field.

Note – The use of Active Directory recipient verification may lead to

bounced messages in case the server does not respond.

l Off: You can turn off recipient verification completely but this is not recom-

mended for it will lead to higher spam traffic volume and dictionary attacks.

Thus your quarantine is likelyto be flooded with unsolicited messages.

UTM 9 WebAdmin 335

10 Email Protection 10.2 SMTP Profiles



10.2 SMTP Profiles 10 Email Protection

For detailed information please refer to Email Protection > SMTP > Routing .

l Sophos UTM RBLs:Here you can block IP addresses linked to spamming.

l Use recommended RBLs

For detailed information please refer to Email Protection > SMTP > Antispam.

l Extra RBLs: You can add further RBL sites to enhance the antispam capability of

Sophos UTM. For detailed information please refer to Email Protection > SMTP >

Antispam. Note that, as a third option, you can add the global settingsto your indi-

vidual settingshere.

l BATV/RDNS/HELO/SPF/Greylisting: This tab gathers various other advanced

options increasing the antispam capability of SophosUTM.

l Reject Invalid HELO/Missing RDNS

l Use Greylisting

l Use BATV

l Perform SPF Check


l Antivirus Scanning: You can configure how to proceed with messages that con-

tain malicious content. The following actions are available:l Off

l Quarantine

l Blackhole

You can choose between the following antivirus scan options:

l Single Scan: Default setting; provides maximum performance using the

engine defined on the System Settings > Scan Settings tab.

l Dual Scan: Provides maximum recognition rate by scanning the respective

traffic twice using different virus scanners. Note that dual scan is not avail-

able with BasicGuard subscription.

Quarantine unscannable and encrypted content: Select this option to quar-

antine emails whose content could not be scanned. Unscannable content may be

encrypted or corrupt archives or oversized content, or there may be a technical

reason like a scanner failure.

For detailed information please refer to Email Protection > SMTP > Antivirus.

336 UTM 9 WebAdmin



l Antispam Scanning: Here you can decide how to deal with unsolicited com-

mercial emails. Both for spam and confirmed spam you can choose between the

following actions:

l Off

l Warn

l Quarantine

l Blackhole


l Sender Blacklist: The envelope sender of incoming SMTP sessions will be

matched against the addresses on this blacklist. If the envelope sender is found onthe blacklist the message will be blackholed. For detailed information please refer

to Email Protection > SMTP > Antispam. Note that, as a third option, you can add

the globalsettings to your individualsettings here.

l MIME Audio/Video/Executables blocking: The MIME type filter reads the

MIME type of email contents. You can select which content typesyou would like to

quarantine:

l Audio Content

l Video Content

l Executable Content

For detailed information please refer to Email Protection > SMTP > Antivirus.

l MIME Type Blacklist: Here you can add additional MIME typesto quarantine.

For detailed information please refer to Email Protection > SMTP > Antivirus. Note

that, as a third option, you can add the global settings to your individual settings

here.

l MIME Type Whitelist:Here you can add MIME types not to quarantine. For

detailed information please refer to EmailP rotecti on>SMTP> Antivirus. Note

that, as a third option, you can add the global settings to your individual settings

here.

l Blocked File Extensions: Using the File ext ension filter you can quarantine

emails(with warnings) that contain certain types of files based on their extensions

(e.g., executables). For detailed information please refer to EmailProtection >

SMTP > Antivirus. Note that, as a third option, you can add the globalsettings to

your individual settingshere.

UTM 9 WebAdmin 337

10 Email Protection 10.2 SMTP Profiles



10.3 POP3 10 Email Protection

l Blocked Expressions: The expression filter scans messages' content passing

through the SMTP proxy for specificexpressions. Suspicious emails will be

blocked. For detailed information please refer to Email Protection > SMTP > Antis-

pam. Note that, as a third option, you can add the global settings to your individual

settingshere.

l Confidentiality Foot er: For each outgoing email, you can add and customize a

confidentiality footer informing users, for example, that the email may contain con-

fidential or privileged information. However, the confidentiality footer will not be

appended to the email if the email is a reply (i.e. having an In-Reply-To header) or

if the content type of the email could not be determined. Note that the footer is

appended depending on the sender domain. To use a footer, select the checkbox

and enter the footer text.

l SPX Template Selection: The SPX template isused for SPX Encryption. It

defines how encrypted emailswill be sent to the recipients. For detailed inform-

ation please refer to EmailProtection > SPX Encryption > SPX Templates.

l Data Protection Configuration: Here you can add attachments to the scan list,

set notifications and select items from the SophosLabs Content Control List .

For detailed information please refer to SMTP > Data Protection.

6. Click Apply .Your settingswill be saved.The new profile appears on the SMTP Profiles list.

Note – When you select Use globalsettings for a topic and click Apply , the icon of the function

changes to the global settingsicon. By this, you can easily get an overview on which functions

global settings or individual settings are applied.

To either disable, rename or delete a profile click the corresponding buttons at the top below the

profile drop-down list.

10.3 POP3The menu EmailProtection > POP3 lets you configure the POP3 proxy for incoming emails. The

Post Office Protocol 3 (POP3) is an application-layer Internet standard protocol that allows the

retrieval of emails from a remote mail server. The POP3 proxy works transparently, meaning

that all POP3 requests coming from the internal network on port110 (and 995 if scanning of

TLS encrypted traffic is enabled) are intercepted and redirected through the proxy invisible to

338 UTM 9 WebAdmin



the client. The advantage of this mode is that no additionaladministration or client-side con-

figuration is necessary.

Note – It might be necessary to increase the server timeout settings in the email clients' con-

figuration. Usual default settings of about one minute or less might be too low, especially when

fetching large emails.

The POP3 protocol does not have server-side tracking of which mails have already been

retrieved. Generally, a mail client retrieves a mail and deletes it on the server afterwards.

However, if the client is configured to not delete mails, then server-side deleting is omitted and

the client keeps track of which mail hasalreadybeen fetched.

10.3.1 Global

On the EmailProtection > POP3 > Global tab you can configure basicsettings for the POP3

proxy.

To configure the POP3 proxy, proceed as follows:

1. Enable the POP3 proxy.


The toggle switch turns amber and the POP3 Settings area becomes editable.


Add or select the networks that should be allowed to proxy POP3 traffic. Typically, this is

the internal network. How to add a definition is explained on the Definitions& Users > Net-


Caution – It is extremely important not to select an Any network object, because this

introduces a serious security risk and opens your appliance up to abuse from the Inter-

net.

3. Click Apply .



UTM 9 WebAdmin 339

10 Email Protection 10.3 POP3




L ive Log

The POP3 Live Log logs the POP3 proxy activities, showing all incoming emails. Click the button

to open the live log in a new window.

10.3.2 Antivirus

The Antivirus tab contains various measures against emailsthat carry harmful and dangerous

content such as viruses, worms, or other malware.

Antivirus Scanning

When using this option, emailswill be scanned for unwanted content such as viruses, trojan

horses, or suspicious file types. Messages containing malicious content will be blocked and

stored in the email quarantine. Users can review and release their quarantined messages

either through the Sophos User Portal or the daily Quarantine Report. However, messages con-

taining malicious content can only be released from the quarantine by the administrator in the

MailManager .

Sophos UTM features several antivirus engines for best security.

l

Single Scan: Default setting; provides maximum performance using the engine definedon the System Settings > Scan Settings tab.


using different virus scanners. Note that dual scan is not available with BasicGuard sub-

scription.

Quarantine unscannable and encrypted content: Select this option to quarantine emails

whose content could not be scanned. Unscannable content may be encrypted or corrupt

archives or oversized content, or there may be a technical reason like a scanner failure.

Max scanning size: Specify the maximum size of files to be scanned by the antivirus engine

(s). Files exceeding this size will be exempt from scanning.



Thisfeature filters and quarantines emails (with warnings) that contain certain types of files

based on their extensions (e.g., executables). To add file extensions, click the Plus icon in the

Blocked File Extensions boxand enter a critical file extension you want to be scanned, e.g.,exe

or jar (without the dot delimiter). Click Apply to save your settings.

340 UTM 9 WebAdmin



Note – Archives cannot be scanned for forbidden file extensions. To protect your network

from malware included in archives you might want to consider blocking the respective archive

file extensions altogether.

10.3.3 Antispam

Sophos UTM can be configured to detect unsolicited spam emails and to identify spam trans-

missions from known or suspected spam purveyors. Configuration options located on the Antis-

pam tab let you configure POP3 security features aimed at preventing your network from receiv-

ing unsolicited commercialemails.

Spam Fi lter

Sophos UTM includes a heuristiccheck of incoming emailsfor characteristics suggestive of

spam. It uses SMTP envelope information and an internal database of heuristic tests and char-

acteristics. This spam filtering option scores messages based on their content and SMTP envel-

ope information. Higher scores indicate a higher spam probability.

With the following two optionsyou can specify what to do with messagesthat have been

assigned a certain spam score. Thisensures that potential spam emailsare treated differentlyby the gateway.

l Spam action: Here you can define what to do with messagesthat are classified as prob-

able spam.

l Confirmed spam action: Here you can define what to do with confirmed spam mes-

sages.

You can choose between different actionsfor those two typesof spam:

l Off: No messages will be marked as spam or filtered out.

l Warn: No messages will be filtered out. Instead, a spam flag will be added to the mes-

sage's header and a spam marker willbe added to the message's subject.

l Quarantine: The message willbe blocked and stored in the email quarantine. Quar-

antined messages can be reviewed either through the User Portal or the dailyQuar-

antine Report.

Spam marker: With this option you can specify a spam marker, that is, a string that willbe

added to the message's subject line making it easy to identify spam messages quickly. By

default, the string*SPAM* is used to tag messages as spam.

UTM 9 WebAdmin 341





Expression Fi l ter

The expression filter scans the message's subject and bodyfor specific expressions. Emails that

contain an expression listed here will be blocked. However, if the prefetch option is enabled on

the Email Protection > POP3 > Advanced tab, the email will be sent to the quarantine. Expres-

sionscan be entered as Perl Compatible Regular Expressions. Simple strings such as "online

dating" are interpreted in a case-insensitive manner.

Cross Reference – For detailed information on using regular expressions in the expression

filter, see the Sophos Knowledgebase.


Sender Blacklis t

The envelope sender of incoming POP3 sessions will be matched against the addresses on this

blacklist. If the envelope sender isfound on the blacklist the message will be quarantined and

marked as Other in the subject line.

To add a new address pattern to the blacklist clickthe Plus icon in the Blacklisted Address Pat-

terns box, enter (a part of) an address, and click Apply . You can use an asterisk (*) as a wild-

card, e.g., *@abbeybnknational.com.

Tip – End-users can create their personal blacklist and whitelist in the User Portal.

10.3.4 Exceptions

On the POP3 > Exceptions tab you can define client hosts/networks and sender addresses that

shall be excluded from various security features.






Skip these checks: Select the securitychecks that should be skipped. For more inform-

ation, see Email Protection > POP3 > Antivirus and Antispam.

342 UTM 9 WebAdmin





For t hese client h osts/networks: Add or select the source hosts/networks (i.e., the

hosts or networks messages originate from) that should skip the security checks. How to

add a definition is explained on the Definitions& Users > Network Definitions > Network Definitions page.

Note – No exception needs to be created for localhost because local messages will not

be scanned by default.

When selecting this option, the Client hosts/networks dialog box opens. You can add a

host or network by either clicking the plus symbol or the folder symbol.

OR th ese sender addresses: Select the senders' email addresses that should skip thedefined security checks.When selecting this option, the Senders boxopens. You can

either enter a complete valid email address (e.g.,[email protected]) or all email

addresses of a specificdomain using an asterisk as wildcard (e.g., *@example.com).

Note – Use the Senders option with caution, as sender addresses can easily be

forged.


3. Click Save.



10.3.5 Advanced

On the POP3 > Advanced tab you can specify those hosts and networks that can skip the trans-

parent mode of the POP3 proxy. In addition, it contains the POP3 proxy's prefetch option, which

allows the prefetching of messages from a POP3 server and storing them in a database.

Transparent Mode Skipl is t

Hosts and networks listed in the Skip transparent mode hosts/nets box will not be subject to the

transparent interception of POP3 traffic. However, to allow POP3 traffic for these hosts and net-

works, select the Allow POP3 traffic for listed hosts/nets checkbox. If you do not select this check-

box, you must define specific firewall rules for the hosts and networks listed here.

UTM 9 WebAdmin 343





POP3 Servers and Prefetch Set t ings

You can enter one or more POP3 servers here that are used in your network or by your end-

users, so that the servers are known to the proxy. Additionally, you can turn on prefetching.

To define a POP3 server, do the following:

1. Add t he DNS name of th e POP3 server(s).

In the POP3 servers box, clickthe Plus icon. In the Add Server dialog window, enter the

DNS name and clickSave.

A new entry with the entered DNS name and the suffix Servers is displayed in the box.

The UTM automatically creates a DNS group with the specified DNS name and asso-

ciates it with the new POP3 server entry.

2. Specify the POP3 server's properties.

In the POP3 servers box, click the Edit icon in front of the POP3 server. The Edit Server

dialog window opens. Make the following settings:

Name: If you want, modify the POP3 server's name.

Hosts: The box automatically contains a DNS group with the DNS name specified

above. Add or select additional hosts or DNS groups. Make sure to add only such hosts

or DNS groups that serve the same POP3 accounts. How to add a definition isexplained

on the Definitions & Users > Network Definitions > Network Definitions page.

TLS certificate: Select a certificate from the drop-down list which will be used to nego-

tiate TLS encryption with all remote hosts supporting it. You can create or upload cer-

tificates on the Site-to-site VPN > Certificate Management > Certificates tab.

Note – For TLS encryption to work, the Scan TLS encrypted POP3 traffic checkbox in

the TLS Settings section hasto be enabled. For POP3 servers not defined here or not

having a TLS certificate, you can select a default TLS certificate in the TLS Settings sec-

tion.


3. Click Save.

The POP3 server is defined.

If no POP3 server is specified and a mail gets caught by the proxy, the proxy replaces the mail

with a notification to the recipient right away in the same connection stating that the mail hasbeen quarantined. The quarantined mail can be viewed in MailManager , but is not associated

344 UTM 9 WebAdmin



to a server or account and therefore cannot be released in a later connection. Generally, releas-

ing of emails from quarantine does only work for prefetched messages.

There are two scenarios:

l If POP3 server(s) are given and prefetching is disabled, the proxy keepstrackwhich quar-

antined mailsbelong to which server/account. Thus, quarantined mail can be released

when the client polls the mailboxnext time. For this to work, the proxy has to safely

identify which IP addresses belong to which server (by their FQDN which you have

entered in your mail client).

l If POP3 server(s) are given and prefetching isenabled, the POP3 proxy periodically

checksthe POP3 server(s) for new messages. If a new message has arrived, it will be

copied to the POP3 proxy, scanned and stored into a database on the UTM. The mes-sage remains on the POP3 server. When a client tries to fetch new messages, it com-

municates with the POP3 proxy instead and only retrieves messages from this database.

A POP3 proxy supporting prefetching has a variety of benefits, among others:

l No timeout problems between client and proxy or vice versa.

l Delivery of messages ismuch faster because emailshave been scanned in advance.

l Blocked messages can be released from the User Portal—they will then be included in

the next fetch.

If a message was blocked because it contained malicious content or because it was identified as

spam, it will not be delivered to the client. Instead, such a message will be sent to the quarantine.

A message held in quarantine is stored in the MailManager section of the User Portal, from

where it can be deleted or released.

Use prefetch mode: To enable prefetch mode, select the checkbox and add one or more

POP3 servers to the POP3 Servers box.

Prefetch interval: Select the time interval at which the POP3 proxy contacts the POP3server to prefetch messages.

Note – The interval at which mail clients are allowed to connect to the POP3 server

may vary from server to server. The prefetch interval should therefore not be set to a

shorter interval than allowed by the POP3 server, because otherwise the download of

POP3 messages would fail as long as the access to the POP3 server is blocked.

Note further that several mail clients may query the same POP3 account. Whenever

messages were successfullyfetched from a POP3 server, this will restart the timer until

UTM 9 WebAdmin 345





the server can be accessed for the next time. If for that reason the POP3 proxy cannot

access a POP3 server four times in a row (default isevery 15 minutes), the account

password will be deleted from the proxy's mail database and no emailswill be fetched

until a mail client sends the password to the POP3 server again and successfully logs in.

Delete quarantined mails from server: When you select this option, quarantined mes-

sages willbe deleted from the POP3 server immediately. This is useful to prevent that

users get spam or virus messageswhen they connect to the POP3 server not via the

UTM, but for example via the POP3 server's web portal.

If the email client is configured to delete messages from the server after retrieving them, thisinformation will be stored in the database, too. The next time the proxy is going to prefetch mes-

sages for this POP3 account, it will delete the messages from the server. This means, as long as

no client fetches the messagesfrom the Sophos UTM and no delete command is configured, no

message willbe deleted from the POP3 server. Therefore, they can still be read, for example,

via the web portal of the email provider.

Quarantined messages are deleted from the POP3 server in the following cases:

l Messages are manuallydeleted via theMailManager .

l Messages are manuallydeleted by the user via theUser Portal.

l The message was released (either through theQuarantine Report or the User Portal)

and the user's email client isconfigured to delete messages upon delivery.

l The notification message has been deleted.

l After the storage period has expir ed(see section Configuration in chapter Mail

Manager ).

In prefetch mode however, spam messages in quarantine cannot be deleted from the POP3

server directlyby means of a client command.

Note – The email client must successfully connect to the POP3 server at least once for the

prefetch function to operate properly. This is because Sophos UTM needs to store the name

of the POP3 server, the username, and the user's password in a database in order to fetch

POP3 messageson behalf of this user. This, however, cannot be achieved by configuring

POP3 account credentials in the Sophos User Portal. The POP3 account credentials in the

User Portal are needed for prefetched messages to appear in this user's portal and dailyQuar-

antine Report.

346 UTM 9 WebAdmin



Note for fetchmail users: The TOPmethod is not supported to download emails from the mail

server for security reasons—messages that are received throughTOP cannot be scanned. It will

work if you specify the fetchall option (-aon command line). For more information please

read "RETR or TOP" in the fetchmail manual.

Preferred Charset

In this section you can select a charset different than UTF-8 that will be used for those mail head-

ers, which have been in some way changed bythe UTM (e.g. BATV). This is useful if your users

who use mail clients which do not understand UTF-8. Generally the default charset for mail

headers works fine for every region. Therefore only change this setting if you are sure this is

what you want. If in doubt keep the default UTF-8 .

TLS Sett ings

Scan TLS encrypted POP3 traffic: If enabled, the UTM will scan TLS encrypted POP3

traffic. For this to work, TLS certificateshave to be defined for the POP3 servers accessed by

the POP3 clients (see POP3 Servers and Prefetch Settings section above and TLS certificate

checkbox below).

If disabled, and a POP3 client tries to access a POP3 server via TLS, the connection will not be

established.

TLS certificate: Select a certificate from the drop-down list which willbe used for T LS encryp-

tion with all POP3 clients supporting TLS and trying to access a POP3 server that either is not lis-

ted in the POP3 servers box above or does not have a matching TLS certificate associated. The

selected certificate will be presented to the POP3 client. POP3 clients usually verifythat the TLS

certificate presented by the POP3 server matches the configured POP3 server name. For this

reason, most POP3 clients will display a warning that the certificate's hostname does not match

the expected configured POP3 server's name. However, the user can dismiss the warning and

connect nevertheless. If you want to avoid this warning, add all used POP3 servers to the POP3

servers box above and configure matching TLS certificates for each of them.

If no certificate is selected here, and a POP3 client tries to access a POP3 server via TLS that is

not listed in the POP3 servers boxor does not have a matching TLS certificate associated, the

connection will not be established.

Tip – You can create or upload certificates on the Site-to-site VPN > Certificate Management

> Certificates tab.

UTM 9 WebAdmin 347




10.4 Encryption 10 Email Protection

10.4 EncryptionEver since email became the primary electronic communication medium for personaland busi-

ness purposes, a legitimate concern over privacy and authentication has arisen. In general

terms, the email format is transmitted in clear text, similar to a postcard which anyone could

read. Moreover, as assimilating false identities is an easy process, it isimportant for the recipient

to be able to tell if the sender is who they claim to be.

Solutions to these issuesare typically accomplished with emailencryption and digital certificates,

where an email message iselectronically signed and cryptographically encoded. Thisassures

that the message recipient exclusively can open and view the contents of the email (privacy),

verifying the identity of the sender (authentication). In other words, this process negates the

idea of being sent an "e-postcard", and introduces a process much like registered or certified

mail.

Modern cryptography has two methods to encrypt email: symmetric and asymmetric. Both have

become standard methods and are utilized in several types of applications. Symmetric key cryp-

tography refers to encryption methods in which both, the sender and receiver, share the same

key.

On the other hand, asymmetric key cryptography (also known as public key cryptography) isa

form of cryptography in which each user has a pair of cryptographic keys; a publickey, which

encrypts data, and a corresponding private or secret key for decryption. Whereas the publickey

is freely published, the private key will be securely kept by the user.

One drawback with symmetric encryption isthat for a sender and recipient to communicate

securely, they must agree upon a key and keep it secret between themselves. If they are in dif-

ferent physical locations, they must prevent the disclosure of the secret key during transmission.

Therefore, the persistent problem with symmetricencryption is key distribution: how do I get the

key to the recipient without someone intercepting it? Public key cryptography was invented to

exactly address this problem. With publickey cryptography, users can securelycommunicate

over an insecure channel without having to agree upon a shared key beforehand.

The need for email encryption has produced a variety of publickey cryptography standards,

most notably S/MIME and OpenPGP, both of which are supported by Sophos UTM. S/MIME

(Secure Multipurpose Internet Mail Extensions) isa standard for asymmetric encryption and the

signing of emails encapsulated in MIME. It istypically used within a publickey infrastructure

(PKI) and isbased on a hierarchical structure of digital certificates, requiring a trusted instance

348 UTM 9 WebAdmin



as Certificate Authority (CA). The CA issues a digitalcertificate by binding an identity to a pair of

electronic keys; thiscan be seen as a digital counterpart to a traditional identity document such

as a passport. Technically speaking, the CA issues a certificate binding a public key to a par-

ticular Distinguished Name in the X.500 standard, or to an Alternative Name such as an email

address.

A digital certificate makes it possible to verify someone's claim that they have the right to use a

given key. The idea is that if someone trusts a CA and can verify that a public key is signed by this

CA, then one can also be assured that the public key in question really does belong to the pur-

ported owner.

OpenPGP (Pretty Good Privacy ), on the other hand, uses asymmetric encryption typically

employed in a web of trust (WOT). This means that public keys are digitally signed by other users who, by that act, endorse the association of that public key with the person.

Note – Although both standards offer similar services, S/MIME and OpenPGP have very dif-

ferent formats. This means that users of one protocol cannot communicate with the users of

the other. Furthermore, authentication certificatesalso cannot be shared.

By default, if for example S/MIME, OpenPGP and SPX Encryption are activated, the priorities

are: S/MIME, OpenPGP and then SPX Encryption.

The entire email encryption is transparent to the user, that is, no additional encryption software

isrequired on the client side. Generallyspeaking, encryption requires having the destination

party's certificate or publickey on store. For incoming and outgoing messages, email encryption

functions as follows:

l By default, outgoing messages from internalusers will be scanned, automatically signed,

and encrypted using the recipient's certificate (S/MIME) or publickey (OpenPGP),

provided the S/MIME certificate or OpenPGP publickey of the recipient is existent on the

UTM.

l Encrypted incoming messages from externalusers whose S/MIME certificate or

OpenPGP public key are known to the UTM will automatically be decrypted and scanned

for malicious content. To decrypt the message, the S/MIME key or OpenPGP private key

of the internaluser must be existent on the UTM.

l Encrypted incoming messages from externalusers or for internalusers unknown to the

UTM willbe delivered, although they cannot be decrypted and therefore not scanned for

viruses or spam. It isthen the responsibility of the recipient (internal user) to ensure that

the email does not contain anymalware, for example, by using a personal firewall.

UTM 9 WebAdmin 349

10 Email Protection 10.4 Encryption




l Outgoing messages already encrypted on the client side will directly be sent to the recip-

ient if the recipient's S/MIME certificate or OpenPGP public key are unknown. However, if

the recipient's S/MIME certificate or OpenPGP publickey are available, the message will

be encrypted a second time. Note that pre-encrypted messages cannot be scanned for

malicious content.

l Decryption is only possible for incoming emails, where "incoming" means that the domain

name of the sender's email address must not be part of anySMTP profile. For example,

to decrypt a message sent [email protected], the domain example.commust not

be configured in either the routing settings or any SMTP profile.

l A summary of the signing/encryption result is written into the subject line of each email.

For example, an emailthat was correctly signed and encrypted with S/MIME, has'

(S/MIME: Signed and encrypted)' appended to the subject line.

Note – Adding a footer to messages already signed or encrypted by an email client (e.g.,

Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render them


footer option. However,ifyoudonotwish to forgo the privacy and authentication of your email



that the footer isadded to the message prior to creating the digital signature, thus leaving the

signature intact.

10.4.1 Global

On the Email Protection > Encryption > Global tab you can configure the basic settingsof the

email encryption functionality.

Note – Encryption isonly working for SMTP, not for POP3.

Before you can use email encryption, you must first create a Certificate Authority (CA) con-

sisting of a CA certificate and CA key. The CA certificate can be downloaded and stored locally.

In addition, it can be installed as an externalCA (S/MIME Authority) in other units as illustrated in

the diagram to enable transparent email encryption between two Sophos UTM units.

350 UTM 9 WebAdmin



Figure 19 Encryption: Using Two Sophos UTM Units

To configure email encryption, proceed as follows:

1. On the Global tab, enable email encryption.


The toggle switch turns amber and the Email Encryption Certificate Authority (CA) area

becomes editable.

2. Create a certificate autho rity (CA).

Fill out the form in the Email Encryption Certificate Authority (CA) area. By default, the

form is filled out with the values of the Management > System Settings > Organizational

tab.

3. Click Save.

The toggle switch turns green and the following certificates and keys are being created:

l S/MIME CA Certificate

l OpenPGP Postmaster Key

Note that this may take several minutes to complete. If you do not see the fingerprintsof

the S/MIME CA certificate or the OpenPGP Postmaster key, click the Reload button in the

upper right corner of WebAdmin. The certificate and the key can be downloaded and loc-

ally stored.

Use the Reset EmailEncryption System Now button to reset all settingsin the Encryption menu

to the factory default configuration.

10.4.2 Options

On the Encryption > Options tab you can define the default policyto be used within the public key

cryptography framework of Sophos UTM.

UTM 9 WebAdmin 351





Default Policy: Specify your default policy for emailsin terms of cryptography. These settings

can, however, be overwritten by customized settings.

The following actions are available:

l Sign outgoing email

l Encrypt outgoing email

l Verify incoming email

l Decrypt incoming email


Note – For encryption to work, the sender must be within the Internal Users list. Outgoing

emailsfor recipientswhose S/MIME certificate or OpenPGP public key are existent on the

gateway will be encrypted by default. If you want to disable encryption for these recipients,

delete their S/MIME certificates or OpenPGP public keys. If certificates or public keys are

unknown to the UTM, emailswill be sent unencrypted.

Automat ic Extraction of S/MIME Cert i ficates

When this option is selected, S/MIME certificates will automatically be extracted from incoming

emails provided the certificate that isappended to the email is signed by a trusted certificate

authority, that is, a CA present on the unit asshown on the Email Protection > Encryption >

S/MIME Authorities tab. In addition, the time and date of Sophos UTM must be within the cer-

tificate's validity period for the automatic extraction of certificates to work. Once a certificate has

been successfullyextracted, it will appear on the Email Protection > Encryption > S/MIME Cer-

tificates tab. Note that this maytake five to ten minutes to complete. Click Apply to save your set-

tings.

OpenPGP Keyserver

OpenPGP keyserver host public PGP keys. You can add an OpenPGP keyserver here. For

signed incoming emailsand for outgoing emails that shall be encrypted, the UTM will try to

retrieve the public key from the given server if the respective public key is yet unknown to the

UTM.

10.4.3 Internal Users

For signing and decrypting messages, either the S/MIME key or the OpenPGP private key mustbe existent on the UTM. On the Encryption > Internal Users tab you can create both an

352 UTM 9 WebAdmin



individual S/MIME key/certificate and/or OpenPGP key pair for those users for whom email

encryption should be enabled.

To create an internal email user, proceed as follows:

1. On the Internal Users tab, click New Email Encryption User .

The Create New User dialog box opens.


Email address: Enter the email address of the user.

Full name: Enter the name of the user.

Signing: The following signing options are available:

l Use default policy: The policyfrom the Options tab will be used.

l On: Emails will be signed using the certificate of the user.

l Off: Emails will not be signed.

Encryption: The following encryption options are available:


l On: Emails will be encrypted using the public key of the recipient.

l Off: Emails will not be encrypted.

Verifying: The following verification options are available:


l On: Emails will be verified using the publickey of the sender.

l Off: Emails will not be verified.

Decryption: The following decryption options are available:


l On: Emails will be decrypted using the certificate of the user.

l Off: Emails will not be decrypted.

S/MIME: Select whether you want to have the S/MIME certificate and key automatically

generated by the system or whether you want to upload a certificate in PKCS#12 format.

When uploading the certificate, you must know the passphrase thePKCS#12 file was pro-

tected with. Note that the PKCS#12 file must both contain the S/MIME key and certificate.

Any CA certificate that may be included in thisPKCS#12 file will be ignored.

UTM 9 WebAdmin 353





OpenPGP: Select whether you want to have the OpenPGP key pair consisting of a

private key and the public key automatically generated by the system or whether you

want to upload the key pair in ASCII format. Note that both private and public key mustbe included in one single file and that the file must not contain a passphrase.

Note – If you configure both S/MIME and OpenPGP for an individualuser, emailssent

by this user will be signed using S/MIME.


3. Click Save.

The new user appears on the Internal Users list.

Use the toggle switch to turn the usage of one or both keys off without having to delete the key

(s).

Note – The files offered for download contain the S/MIME certificate. The OpenPGP cer-

tificate offers the publickey. For securityreasons it isnot possible to download the OpenPGP

private key and the S/MIME key.

10.4.4 S/MIME Authorities

On the Encryption > S/MIME Authorities tab you can manage certificate authorities (CA) for

email encryption. In addition to pre-installed CAs, you can upload certificates of externalcer-

tificate authorities. All incoming emails whose certificates are signed by one of the CAs listed and

enabled here will be trusted automatically.

Note – If you have selected the Enable automatic S/MIME certificate extraction option on the

Email Protection > Encryption > Options tab, certificates signed by a CA listed and enabled

here will be extracted automatically and placed on the Email Protection > Encryption >

S/MIME Certificates tab.

Local S/MIME Authori t ies

You can import the certificate (i.e., the public key) of an external certification authority you trust.

That way, all incoming emails whose certificates were signed by this CA will be trusted, too. For

example, you can install the CA of another Sophos UTM unit, thus enabling transparent email

encryption between two Sophos UTM units.

354 UTM 9 WebAdmin



To import an externalS/MIME authority certificate, proceed as follows:

1. Click the Folder icon next to the Upload local authority field.


2. Select the certificate to upload.

Click Browse and select the CA certificate to upload. The following certificate extensions

are supported:

l cer, crt, or der: These certificate types are binary and basically the same.

l pem: Base64 encoded DER certificates.

3. Upload the certificate.

Click Start Upload to upload the selected CA certificate.

The certificate will be installed and displayed in the Local S/MIME Authorities area.

You can delete or disable an S/MIME authority certificate if you do not regard the CA as trust-

worthy. To revoke an S/MIME authority's certificate click its toggle switch. The toggle switch

turns grayand the SMTP proxy will no longer accept mailssigned by this S/MIME authority. To

delete a certificate, click the Empty icon.

Tip – Click the blue Info icon to see the fingerprint of a CA.

Global S/MIME Authori t ies

The list of S/MIME CAs shown here is identical to the S/MIME CAs pre-installed by Mozilla Fire-

fox. This facilitates email encryption between your company and your communication partners

who maintain a PKI based on those CAs. However, you can disable an S/MIME authority cer-

tificate if you do not regard the CA as trustworthy. To revoke an S/MIME authority's certificate

click its toggle switch. The toggle switch turns gray and the SMTP proxy will no longer accept

mails signed by this S/MIME authority.

The following links point to URLs of notable root certificates:

l Trustcenter

l S-TRUST

l Thawte

l VeriSign

l GeoTrust

UTM 9 WebAdmin 355


http://www.trustcenter.de/root_certificates.htm


http://www.geotrust.com/resources/root_certificates/index.asp

http://www.verisign.com/support/roots.html

http://www.thawte.com/roots/

https://www.s-trust.de/service_support/zertifikatsmanagement/download_wurzelzertifikate/qual_angezeigt_ca/index.htm





10.4.5 S/MIME Certificates

On the Encryption > S/MIME Certificates tab, you can import externalS/MIME certificates.

Emails for recipients whose certificates are listed here will automatically be encrypted. If you

want to disable encryption for a particular recipient, simply delete its certificate from the list.

Note – If for a recipient an OpenPGP public key is imported additionally to an S/MIME cer-

tificate, emailswill be encrypted using OpenPGP.

Note – When you upload an S/MIME certificate manually, messages from the email address

associated with the certificate are always trusted, although no CA certificate isavailable that

mayidentify the person noted in the certificate. That is to say, manuallyuploading an S/MIME

certificate labels the source as trusted.

To import an external S/MIME certificate, proceed as follows:

1. On the S/MIME Certificates tab, click New External S/MIME Certificate.

The Add S/MIME Certificate dialog box opens.


Format: Select the format of the certificate. You can choose between the following

formats:

l der (binary)

l pem (ASCII)

Note – Microsoft Windows operating systems use thecer file extension for bothder

and pem formats. You must therefore determine in advance whether the certificate you

are about to upload is in binary or ASCII format. Then select the format from the drop-

down list accordingly.

Certificate: Click the Folder icon to open the Upload File dialog window. Select the file

and click Start Upload .


3. Click Save.

The new S/MIME certificate appears on the S/MIME Certificates list.

356 UTM 9 WebAdmin



10.4.6 OpenPGP Public Keys

On the Encryption > OpenPGP Public Keys tab you can install OpenPGP publickeys. Files must

be provided in .asc format. The upload of entire keyrings is supported.

Note – Do not upload a keyring that isprotected by a passphrase.

All public keysincluded in the keyring will be imported and can be used to encrypt messages.

Emails for recipientswhose public keys are listed here will automatically be encrypted. If you

want to disable encryption for a particular recipient, simply delete its public key from the list.

Note – Onlyone email address per key issupported. If there are multiple addresses attached

to a key, only the "first" one will be used (the order may depend on how OpenPGP sorts

addresses). If the key you want to import hasseveral addresses attached, you must remove

the unneeded addresses with OpenPGP or other tools prior to importing the key into Sophos

UTM.

To import an OpenPGP public key, proceed as follows:

1. On the OpenPGP Public Keys tab, click Import Keyring File.

The Import OpenPGP Keyring File dialog box opens.

2. Upload the OpenPGP key(s).

Click the Folder icon to open the Upload File dialog window. Select the file and click Start

Upload .

The key or, if the file contains severalkeys, a list of keysis displayed.

3. Select one or more keys and click Import Selected Keys.

The key(s) appear(s) on the OpenPGP Public Keys list.

Note – An email address must be attached to the key. Otherwise the installation will fail.

10.5 SPX EncryptionSPX (Secure PDF Exchange) encryption isa next-generation version of email encryption. It is

clientless and extremely easy to set up and customize in any environment. Using SPX

UTM 9 WebAdmin 357

10 Email Protection 10.5 SPX Encryption



10.5 SPX Encryption 10 Email Protection

encryption, unencrypted email messages and anyattachmentssent to the UTM are converted

to a PDF document, which is then encrypted with a password. You can configure the UTM to

allow senders to select passwords for the recipients, or the server can generate the password

for the recipient and store it for that recipient, or the server can generate one-time passwords

for recipients.

When SPX encryption is enabled, there are two ways how emailscan be SPX encrypted:

l The Administrator can download a Microsoft Outlook plugin (see chapter Email Pro-

tection > SPX Encryption > Sophos Outlook Add-in). After having it installed, an Encrypt

button isdisplayed in the Microsoft Outlook user interface. To encrypt a single message,

the user needsto enable the Encrypt button and then write and send the message. Only

if something goes wrong, for example the sender does not enter a valid password, a noti-fication will be sent, if configured.

Note – If you are not using Outlookyou can also trigger SPX encryption by setting the

header field X-Sophos-SPX-Encrypt to yes.

l In the Data Protection feature, you can specify to automatically SPX encrypt emailscon-

taining sensitive data (see SMTP > Data Protection tab).

The encrypted message isthen sent to the recipient's mail server. Using Adobe Reader, therecipient can decrypt the message with the password that was used to encrypt the PDF. SPX-

encrypted email messages are accessible on all popular smartphone platforms that have native

or third-party PDF file support, including Blackberry and WindowsMobile devices.

Using the SPX reply portal, the recipient is able to answer the email in a secure way. It is pos-

sible to set expiry times for the secure reply and unused passwords (see chapter Email Pro-

tection > SPX Encryption > SPX Configuration).

SPX encryption can be activated in both SMTP configuration modes, Simple Mode and Profile

Mode. If using Simple mode, a global SPX template can be chosen. The SPX template defines

the layout of the PDF file, password settings, recipient instructions, and SPX reply portalset-

tings. If using Profile mode, you can define different SPX templates for different SMTP profiles.

So, if you are managing various customer domains, you can assign them customized SPX tem-

plates containing for example different company logos and texts.

358 UTM 9 WebAdmin



10.5.1 SPX Configuration

On the SPX Encryption > SPX Configuration tab you enable SPX encryption, and you configure

general settings for all SMTP users.

To configure SPX encryption, proceed as follows:

1. Enable SPX encryption .



2. In the following sections of th is tab, make the required global settings.

3. On the SPX Templates tab, modify the existing Sophos Default Template

and/or add new SPX templates.

4. On the SMTP > Global tab, select the Global SPX Template.

5. Optionally, if using SMTP Profile Mode, select the desired SPX templates for

the respective SMTP p rofiles.

6. If you want the u sers to SPX encrypt email messages via the Microsoft

Outlook plugin, make sure that they have access to the Email Protection >SPX Encryption > Sophos Outlook Add-in tab. If you use another email mes-

senger you have to set the Header manually by yourself.

SPX Encrypt ion Precedence

Prefer SPX Encryption: If enabled and S/MIME and/or OpenPGP are activated,

SPX Encryption has precedence over S/MIME and OpenPGP.

SPX Password Sett ings

Minimum length: The minimum number of characters allowed for a password specified by the

sender.

Require special characters: If enabled, the password specified by the sender hasto contain

at least one special character (non alphanumeric characters and whitespace are treated like

special characters).


UTM 9 WebAdmin 359





SPX Password Reset

Reset password for: Here you can delete the password of a recipient. Enter the recipient's

email address and click Apply .

SPX Portal Sett ings

Interface u sed f or SPX reply p ortal: Select the interface that provides the SPX reply portal.

This web interface allows recipients of SPX encrypted messages to securely reply to the

sender. In many configurations this would be the external interface.

Port: Enter the port on which the SPX reply portal should listen.


SPX Portal and Password Expi ry Sett ings

Allow secure reply for: Specify for how long the recipient of an SPX encrypted message is

allowed to send a reply via the SPX reply portal.

Keep unused password for: Specify the expiry time of a password that was not used mean-

while.

Note – If for example the Keep Unused Password is set to 3 days the password will expire at 0

o'clock if there was no SPX encrypted message sent for a specificrecipient.

Note – If the Keep Unused Password option is set to 0 days, the password will be saved and

expires at 0 o'clock.


SPX Not i ficat ion Settings

Send notification on error to: Specify whom to send a notification when an SPX error

occurs. You can send the notification to the administrator, to the sender, or to both, or you can

send no notification at all. Error messages will always be listed in the SMTP log.

Tip – SPX error messages can be customized on the Management > Customization > Email

Messages tab.


360 UTM 9 WebAdmin



10.5.2 SPX Templates

On the SPX Encryption > SPX Templates tab you can modify the existing Default SophosTem-

plate, and you can define new SPX templates. If using SMTP Simple mode, a global SPX tem-

plate can be selected for all SMTP users on the SMTP > Global tab. If using SMTP Profile mode,

you can assign different SPX templates to different SMTP profiles on the SMTP Profiles tab.

To configure SPX encryption, proceed as follows:

1. Click New Template.

The Create SPX Template dialog box opens.

Tip – The Sophos Default Template contains useful settings and example texts. There-

fore you should consider to clone the existing template using its Clone button instead of

creating a new template from scratch.

Note – The notification sender is the mail address which isconfigured in Management

> Notifications > Sender .


Template name: Enter a descriptive name for the template.

3. Make the following basic settings:


Organization Name: The organization name will be displayed on notifications con-

cerning SPX, sent to the administrator or the email sender, depending on your settings.

PDF Co ver Page: Select if you want the encrypted PDF file to have an additional first

page. You can use the default page or a custom page. In case of the custom page,upload a one page PDF file via the Folder icon.

PDF Encryption: Select the encryption mode of the PDF file. Note that some PDF view-

ers cannot read AES / 256 encrypted PDF files.

Label Languages: Select the display language of the labels in the emailforwarded to

the recipient. The email contains fields such as From, To, Sender , or Subject ,for

example.

Page Size: Select the page size of the PDF file.

UTM 9 WebAdmin 361





Remove Sophos Logos: Enable thisoption to replace the default Sophos logo with

your company logo specified on the Management > Customization > General tab. The

logo will be displayed in two places: on the footer of the encryption email sent to the recip-ient and in the footer of the reply message generated via the Reply button in the PDF file.

4. Make the following password settings:

Password Type: Select how you want to generate the password for accessing the

encrypted email message. No matter which type you select, the sender always has to

take care of transferring the password in a safe way to the recipient.

l Specified by Sender: Select if the email sender should generate the password

himself. In this case, the sender has to enter the password into the Subject field,

using the following format: [secure:<password>]<subject text>where<password> is the password to open the encrypted PDF file and <subject

text> is the random subject. Of course, the password willbe removed by the UTM

before the email is sent to the recipient.

Note – A template with this option should not be used in combination with Data

Protection. With Data Protection, the sender does not know beforehand that an

emailwill be encrypted and thus will not enter the password into the Subject field.

When the UTM tries to SPX encrypt an email with no password specified, thesender will receive an error message with the information that the password is

missing.

l Generated and Stored for Recipient: The UTM automatically creates a recip-

ient-specific password when the first email is sent to a recipient. This password will

be sent to the sender. With the next email, the same password is used auto-

matically. The password will expire when it is not used for a certain time, and it can

be reset by the administrator, see the SPX Configuration tab.

l Generated one-time Password for every Email: The UTM automatically cre-

ates a new password for each affected email. This password willbe sent to the

sender.

Notification Subject (not with the Specified by sender option): The subject of the email

that is sent from the UTM to the email sender containing the password. Here you can use

variables, e.g.%%ENVELOPE_TO%%, for the recipient's name.

362 UTM 9 WebAdmin



Notification Body (not with the Specified by sender option): The bodyof the email that

is sent from the UTM to the email sender containing the password. Here you can use vari-

ables, e.g., %%GENERATED_PASSWORD%%, for the password.

Tip – The Sophos Default SPX Template on this tab contains all available variables and

gives a useful example of a notification.

5. Make the following recipient instructions settings:

Instructions for Recipient: The bodyof the email that is sent from the UTM to the

email recipient containing instructions concerning the encrypted email. Simple HTML

markup and hyperlinks are allowed. You can also use variables, e.g.,%%ORGANIZATION_

NAME%%.

Tip – The Sophos Default SPX Template on this tab contains all available variables and

gives a useful example of recipient instructions.

Header Image/Footer Image: Select if the email from the UTM to the email recipient

should have a header and/or a footer image. You can use the default image, which is an

orange envelope with an appropriate text, or a custom image. In case of the custom

image, upload a JPG, GIF, or PNG file via the Folder icon. The recommended size is 752

x 69 pixels.

6. Make the following SPX portal settings:

Enable SPX Reply Portal: If enabled, the encrypted PDF file sent to the recipient will

contain a Reply button. With thisbutton the recipient can access the SPX reply portal to

send an encrypted emailreply to the sender.

Include Original Body into Reply: If enabled, the reply from the recipient will auto-

matically contain the body of the original email.

Portal header image/Portal footer image: Select if the SPX reply portal should have

a header and/or a footer image. You can use the default image, which is an orange envel-

ope with an appropriate text, or a custom image. In case of the custom image, upload a

JPG, GIF, or PNG file via the Folder icon. The recommended size is752 x 69 pixels.

7. Click Save.

The SPX template will be created and appears on the SPX Templates list.

To either edit or delete an SPX template, click the corresponding buttons.

UTM 9 WebAdmin 363




10.6 Quarantine Report 10 Email Protection

10.5.3 Sophos Outlook Add-in

On the Email Protection > SPX Encryption > Sophos Outlook Add-in tab you can navigate to the

Sophos website and with your MySophos credentials you are able to download the Sophos

Outlook Add-in.

The Outlook Add-in simplifies the encryption of messages which contain sensitive or confidential

information leaving your organization. For downloading and for the installing documentation

visit the Sophos website.

Run the installer with th e p arameters: msiexec /qr /i SophosOutlookAddInSetup.msi T=1

EC=3 C=1 I=1

10.6 Quarantine ReportSophos UTM features an email quarantine containing all messages (SMTP and POP3) that

have been blocked and redirected to the quarantine for various reasons. This includes mes-

sages waiting for delivery as well as messages that are infected by malicious software, contain

suspiciousattachments, are identified as spam, or simplycontain unwanted expressions.

To minimize the risk of messages being withheld that were quarantined mistakenly (so-called

false positives), Sophos UTM sends a daily Quarantine Report to the users informing them of

messages in their quarantine. If users have several email addresses configured, theywill get an

individual Quarantine Report for each email address. This also applies if a user has additional

POP3 accounts configured in his User Portal, provided the POP3 proxy of Sophos UTM is in

prefetch mode, which allows the prefetching of messages from a POP3 server and storing them

in a local database. In a Quarantine Report a user can clickon anyspam entry to release the

message from the quarantine or to whitelist the sender for the future.

The following list contains some more information about the Quarantine Report:

l Quarantine Reportsare only sent to those users whose email address is part of a domain

contained in any SMTP profile. This includes the specification in the Domains box on the

SMTP > Routing tab as well as the specifications in the Domains box of anySMTP Profile.

l If the POP3 prefetch option is disabled, quarantined messages sent to this account will

not appear in the Quarantine Report. Instead, each user will find the typical Sophos

POP3 blocked message in his inbox. It is therefore not possible to release the message

364 UTM 9 WebAdmin



by means of the Quarantine Report or the User Portal. The only way to deliver such an

emailis to download it in zip format from the MailManager by the administrator.

l On the Advanced tab, the administrator defines which types of quarantined mail can be

released by the users. By default, only spam emailscan be released from the quarantine.

Messages quarantined for other reasons, for example because theycontain viruses or

suspicious file attachments, can only be released from the quarantine by the admin-

istrator in the Mail Manager of Sophos UTM. In addition, users can also review all of their

messages currently held in quarantine in the Sophos User Portal.

l If a spam emailhas multiple recipients, as is the case with mailing lists, when any one

recipient releases the email, it is released for that recipient only, provided the email

address of the mailing list is configured on the system. Otherwise the email will be sent to

all recipients simultaneously. For more information, see the Define internal mailing lists

option on the EmailProtection > Quarantine Report > Exceptions tab.

l Emails sent to an SMTP email address for which no user is configured in Sophos UTM

can be released (but not whitelisted) from the Quarantine Report or in the Mail Manager

by the administrator. However, as this user isnot configured, no access to the User

Portal is possible.

l Spam emailssent to mailing lists cannot be whitelisted.

l Some emailclients do not encodethe header of an email correctly, which mayresult in anawkward representation of the email in the daily Quarantine Report.

10.6.1 Global

On the Quarantine Report > Global tab you can define at what time the daily Quarantine Report

shall be sent and write a message text that will appear in the Quarantine Reports.

To edit the Quarantine Report settings, enable the Quarantine Report: Click the toggle switch.


Time to Send Report

Here you can define when the dailyQuarantine Report will be sent. Select the time using the

drop-down lists and click Apply .

You can also send an additional report. For this, select the checkboxSend Additional Report ,

set the time, and click Apply .

UTM 9 WebAdmin 365

10 Email Protection 10.6 Quarantine Report



10.6 Quarantine Report 10 Email Protection

Customizable Message Text

Here you can customize the text which forms the introduction of the Quarantine Report.

Change the message text according to your needs and click Apply .

Note – It is not possible to use HTML tags in the customizable message text box.

Note – Customization is not possible when using a home use license.

Note– The notification sender is the mail address which is configured in Management > Noti-

fications > Global .

10.6.2 Exceptions

On the Quarantine Report > Exceptions tab you can define a skiplist of email addresses that

should be exempt from receiving daily Quarantine Reports.

Skipping Quarant ine Reports

Here you can configure internal email addresses for which no quarantine notifications should besent. Users whose email addresses are listed here will not receive daily Quarantine Reports.

You can enter full email addresses or use an asterisk (*) aswildcard, for example

*@example.com.

Note – The skiplist only applies for the SMTP Quarantine Report. If there is a POP3 account

specified for the respective user, the POP3 Quarantine Report will be sent nonetheless.

Define Internal Mai ling L ists

If the email address of a mailing list is configured in the Mailing list address patterns box (e.g.,

[email protected]) and a spam message sent to this mailing list was detected and

redirected to the emailquarantine, the Quarantine Report of all recipients included in this mail-

ing list willcontain a link to this spam message. Thus, each recipient can release this spam mes-

sage individually by entering his email address in a user prompt that appearsonce the recipient

has clicked the Release link in the Quarantine Report.

Note – Mailing lists cannot be whitelisted in the Quarantine Report or the User Portal.

366 UTM 9 WebAdmin



Alternatively, you could enter the email address of that particular mailing list as an additional

email address in a local user's profile; this user becoming some sort of a mail manager. Then

only this user's Quarantine Report willcontain a link to the spam message that was sent to the

mailing list. Clicking the Release link will deliver the spam message to all recipientsof that mailing

list at once.

Note – If the email address of a mailing list isconfigured as an additional email address in a

user's profile, no recipient included in that mailing list gets displayed the links to spam mes-

sages that were sent to this mailing list.

However, if the email address of a mailing list is both configured as an additional email address

in a user's profile and in the Mailing list address patterns box, then the Release link in that user's

Quarantine Report will open a user prompt. The user is then to decide who is going to receive

the spam mail by manually entering the respective email address(es) to forward the spam mes-

sage to.

Finally, if the email address of a mailing list is neither configured as an additional email address

in a user's profile nor as a mailing list address pattern, a spam message sent to the mailing list is

handled like a normal email, meaning that if any one recipient releases the spam mail, it will be

sent to all recipientsof the mailing list.

To sum up, whenever the email address of a mailing list is configured as a mailing list address

pattern, each user having a link to the spam message in his Quarantine Report isprompted to

enter an email address to release the spam message to.

10.6.3 Advanced

On the Quarantine Report > Advanced tab you can configure an alternative hostname and port

number for the Release links contained in dailyQuarantine Reports. Additionally, you canchange the release options for spam emails.

Advanced Quarant ine Report Opt ions

Hostname: By default, this is the gateway's hostname as given on the Management > System

Settings > Hostname tab. The quarantine report, for example, which is sent by the gateway,

contains hyperlinks a user can click to release messages from the email quarantine. By default,

these links point to the hostname specified here. If you want to enable users to release their

emailsfrom across the Internet, it might be necessary to enter an alternative hostname here

that can be publicly resolved.

UTM 9 WebAdmin 367

10 Email Protection 10.6 Quarantine Report



10.7 Mail Manager 10 Email Protection

Port: By default, port3840 is configured. You can change the port to any value in the range

from 1024 to 65535.

Allowed networks: You can also specify the networks that should be allowed to connect to theemail release service. By default, only the internalnetwork isselected.


Release Opt ions

Here you can select which types of quarantined messages shall be releasable by users. You

can choose between the following options:

l Malware

l Spam

l Expression

l File extension

l Unscannable

l MIME type

l Other


10.7 Mail ManagerThe Mail Manager is an administrative tool to manage and organize all email messages cur-

rently stored on the unit. This includes messages waiting for delivery as well as quarantined mes-

sages that are infected by malicious software, contain suspicious attachments, are identified as

spam, or contain unwanted expressions. You can use the Mail Manager to review all messages

before downloading, releasing, or deleting them. The Mail Manager is fully UTF-8 capable.

368 UTM 9 WebAdmin



10.7.1 Mail Manager Window

Figure 20 MailManager of Sophos UTM

To open the Mail Manager window click the button Open Mail Manager in New Window on the

Email Protection > Mail Manager > Global tab. The Mail Manager is divided into five different

tabs:

l SMTP Quarantine: Displaysall messages that are currently quarantined.

l SMTP Spool: Displays all messages currently in/var/spool. This may be due to them

waiting for delivery or because of an error.

l SMTP Log: Displays the delivery log for all messages processed via SMTP.

l POP3 Quarantine: Displays all messages fetched via POP3 that are currently quar-

antined.

l Close: Click here to close the Mail Manager window.

10.7.1.1 SMTP/POP3 Quarantine

Messages in SMTP and POP3 Quarantine can be displayed according to their respective quar-

antine cause:

UTM 9 WebAdmin 369

10 Email Protection 10.7 Mail Manager




l Malware

l Spam

l Expression

l File Extension

l MIME Type (SMTP only)

l Unscannable

l Other

Use the checkboxes to select/unselect quarantine causes. Double-click the checkbox of a cause

to solelyselect this cause.

Tip – Double-click a message to view it.

Profile/Domain: Select a profile/domain to show its messages only.

Sender/Rcpt/Subject substring: Here you can enter a sender, recipient, or subject to

search for in the messages.

Received date: To only show messages processed during a certain time frame, enter a date,

or select a date from the calendar icon.

Sort by: By default, the list is sorted by time of arrival. Messages can be sorted by date, subject

line, sender address, and message size.

and show: The checkbox allows to display 20, 50, 100, 250, 500, 1000, or all messagesper

page. Note that showing all messages maytake a lot of time.

Use the checkboxin front of each message or click a message to select it to apply actionson the

selected messages. The following actions are available:

l View(only available for an individualmessage): Opens a window with the contents of the

email.

l Download: Selected messages will be downloaded.

l Delete: Selected messages will be deleted irrevocably.

l Release: Selected messages will be released from quarantine.

l Release and report as false positive: Selected messages will be released from quar-

antine and reported as false positive to the spam scan engine.

370 UTM 9 WebAdmin



Note that only the administrator can release all messages held in quarantine. Users reviewing

their messages in the Sophos User Portalcan only release messages theyare explicitlyallowed

to. The authorization settingsfor this can be found on the Email Protection > Quarantine Report

> Advanced tab.

Select global cleanup action: Here you find severaldeletion optionsthat willbe applied on

messages globally, that is, regardless whether they are selected and/or displayed or not.

Caution – Deleted messages are irrevocable.

10.7.1.2 SMTP Spool

Here you see messages that are either waiting for delivery or have produced an error. The deliv-

erylog is also part of the message header. Use the following checkboxes to select only one type

of messages for display:

l Waiting: Messages waiting for delivery.

l Error: Messagesthat caused an error. If a messages produces an error more than

once, please report the case to your Sophos Partner or the Sophos Support Team.

Hint – Double-click a message to view it.


Sender/Rcpt/Subject substring: Here you can enter a sender, recipient, or subject to

search for in the messages.

Received date: To only show messages processed during a certain time frame, enter a date,

or select a date from the calendar icon.

Sort by: By default, the list issorted by time of arrival. Messages can be sorted by date, subjectline, sender address, and message size.

and show: The checkboxallows to display 20, 50, 100, 250, 500, 1000, or all messagesper


Use the checkbox in front of each message or click a message to select it to applyactionson the

selected messages. The following actions are available:

l Download: Selected messages will be downloaded.

l Retry: For selected messages delivery will be retried immediately.

UTM 9 WebAdmin 371






l Bounce: Selected messages will be bounced, that isthe sender will receive a message

that the delivery of their message has been canceled.

Select Global Cleanup Action: Here you find a retry option and several deletion optionsthat

will be applied on messages globally, that is, regardless whether they are selected and/or dis-

played or not.

Caution – Deleted messages are irrevocable.

10.7.1.3 SMTP Log

The SMTP Log displays the log messages for all messages processed via SMTP.

Result Filter: Select which type of message will be displayed by selecting the corresponding

checkboxes.

l Delivered: Successfully delivered messages.

l Rejected: Messages rejected by the UTM.

l Quarantined: Quarantined messages.

l Blackholed: Messages that have been deleted without notification.

l Canceled: Messages that have been manually bounced in SMTP Spool .

l Bounced: Messages that could not be delivered, for example because of false routing

settings.

l Deleted: Messages that have been manually deleted.

l Unknown: Messages whose statusis unknown.

Use the checkboxes to select/unselect Result Filter items. Double-click an item to solely selectthis item.

Reason Filter: Use the checkboxes to further filter the message log display.

Note – Double-click a message log to view it. Click on the server icon of a message to resolve

the IP address. An asterisk(*) denotes a successful reverse DNS lookup.


372 UTM 9 WebAdmin



IP/Net/Address/Subj. Substring: Here you can enter an IP address, network address, or

subject to search for in the SMTP log messages.

Received Date: To only show messages processed during a certain time frame, enter a date,or select a date from the calendar icon.

Sort by: By default, the list issorted by event time. Messages can be sorted by event time,

sender address, and message size.

and show: The checkboxallows to display 20, 50, 100, 250, 500, 1000, or all messagesper


10.7.2 GlobalIn the upper part of the Mail Manager > Global tab you can open the Mail Manager by clicking

the Open Mail Manager in New Window button.

In the lower part, the StatisticsOverview area provides an overview of all messages currently

stored on the unit. Data is divided into messages that were delivered via the SMTP or POP3 pro-

tocol. For both types, the following information is displayed:

l Waiting for Delivery (Spooled) (SMTP only): Mails that are currently in spool, for

example because they were being scanned and could not be delivered yet.

l Clean total (POP3 only): Mails that have been prefetched by the unit and have not yet

been collected by a client/user.

l Quarantined Malware: The total of messages that contain malware, such as viruses or

other harmfulcontent.

l Quarantined Spam: The total of messages that were identified as spam.

l Quarantined Expression: The total of messages that were diverted to the quarantine

because they contain forbidden expressions.

l Quarantined File Extension: The total of messages held in quarantine because they

contain suspicious attachments (identified by their file extension).

l Quarantined Unscannable:The total of messages held in quarantine because it could

not be scanned.

l Quarantined MIME Type (SMTP only): The total of messages held in quarantine

because they contain MIME types that are to be filtered according to the SMTP settings.

l Quarantined Total: The total of messages that are held in quarantine.

UTM 9 WebAdmin 373





Note – The numbers for Waiting for Delivery represent a real-time snapshot for SMTP mes-

sages. However, for POP3 messages, the numbers presented are the accumulation of data

since the last time prefetching was enabled.

Below you see a short statistic for SMTP quarantining and rejectionsof the last 24 hours:

l Malware Quarantined/Rejected: Messages quarantined/rejected because they con-

tain harmful content.

l Spam Quarantined/Rejected: Messages quarantined/rejected because they have

been identified as spam.

l Blacklist Rejects: Messages rejected because the sender is on a blacklist.

l Address Ver ification Rejects: Messages rejected because the sender address could

not be verified.

l SPF Rejects: Messages rejected because sending host is not allowed.

l RBL Rejects: Messages rejected because the sender is on a real time blackhole list.

l BATV Rejects: Messages rejected because BATV tag could not be validated.

l

RDNS/HELO Rejects: Messages rejected due to invalid HELO or missing RDNSentries.

Whether there are any rejects depends on your settings in Email Protection > SMTP .


On the MailManager > Configuration tab you can configure how long the database log will be

kept and after how many daysquarantined messages are to be deleted from the quarantine.

Any logs and messages that are older than the number of days in the expiration settings will bedeleted automatically.

The default settings are as follows:

l Database log will be deleted after three days. Maximum number permitted: 30 days.

l Quarantined messages will be deleted after 14 days. Maximum number permitted: 999

days.

The minimum number of dayspermitted for both database log and quarantine is one day.

374 UTM 9 WebAdmin



Flush Database Log

This option isusefulif your database log has accumulated an immense amount of data to clear

the log immediately. That way you do not have to wait for the normal cleanup action to apply.

UTM 9 WebAdmin 375






11 Endpoint ProtectionThe Endpoint Protection menu allows you to manage the protection of endpoint devices in your

network, e.g. desktop computers, servers, and laptops. UTM is the configuration side of end-

point protection where you deploy the software for endpoints, get an overview of the protected

endpoints, set up antivirus and device control policies, group endpoints, and assign the defined

policies to endpoint groups.

Endpoint protection uses a central service called Sophos LiveConnect. Thiscloud-based ser-

vice is automatically set up for the use with your UTM once you enable endpoint protection.

LiveConnect allows you to always manage all of your endpoints, whether theyare on your localnetwork, at remote sites, or with traveling users. The LiveConnect service provides:

l A pre-configured installation package for the endpoint agent

l Policy deployment & updates for endpoints

l Security updates and definitions for endpoints

l Central logging & reporting data to monitor endpoints centrallythrough WebAdmin

As LiveConnect is a cloud-based service you will need an active Internet connection in order for

the service to work. Managed endpoints will need an Internet connection to receive policy and

security updates, too.

The figure below shows a deployment example of Sophos UTM Endpoint Protection with the

use of the LiveConnect Service.



11 Endpoint Protection

Figure 21 Endpoint Protection: Overview


l Computer Management

l Antivirus

l Device Control

l Web Control

If endpoint protection isenabled, the overview page gives you general information on

registered computers and their status. You can sort and search this list. If the status of an end-

point is not Ok , you can click on the status to open a window with more information. The status

Not Compliant indicatesthat the device's settingsare currently not the same as configured on

the UTM. To resolve this problem you find a link in the window to send the current endpoint set-

tings to the endpoint. For the other statuses you can acknowledge the information and decide

what actions have to be taken.

Open Endpo int Protection L ive Log

The endpoint protection live log gives you information about the connection between the end-

points, LiveConnect, and the UTM, as well as securityinformation concerning the endpoints.

378 UTM 9 WebAdmin



Click the Open Endpoint Protection Live Log button to open the endpoint protection live log in a

new window.

11.1 Computer ManagementOn the Endpoint Protection > Computer Management pages you can enable and manage the

protection of individualcomputers connected to your SophosUTM.

You can find and deploy an installation file for endpointsand you get an overview of all com-

puters where the endpoint protection software isinstalled. You can define computer groups

with differing protection settings.

11.1.1 Global

On the Endpoint Protection > Computer Management > Global tab you can enable or disable

endpoint protection.

To enable endpoint protection, do the following:

1. On the Global tab, enable endpoint protection.


The toggle switch turns amber and some fields with your organization details become vis-

ible.

2. Enter your organization details.

By default the settingsfrom the Management > System Settings > Organizational tab is

used.

3. Optionally, configu re a parent proxy:

If your UTM does not have direct HTTP internet access, Endpoint Protection can use aproxy server to reach Sophos LiveConnect. Select Use a parent proxy and enter the host

and port if necessary.

4. Click Activate Endpoint Protection.

The toggle switch turns green and endpoint protection is activated.


On the Deploy Agent page you can now continue by deploying an endpoint protection install-

ation package to computers to be monitored.

UTM 9 WebAdmin 379

11 Endpoint Protection 11.1 Computer Management



11.1 Computer Management 11 Endpoint Protection

Note – When using endpoint protection, we recommend to enable the Force caching for

Sophos Endpoint updates feature on the Web Protection > Filtering Options > Misc tab, sec-

tion Web Caching , to prevent uplink saturation when endpoints download data from the

update servers in the Internet.

Note – The administrator can configure alerts for endpoint virus detection under Man-

agement > Notifications > Notifications tab, section Endpoint .

Note – If the Web Filter isactivated and works in transparent mode, additional settingsare

necessary to ensure that endpointscan correctly use endpoint protection: As soon as end-point protection is enabled, the UTM automatically creates a DNS group named Sophos

LiveConnect . Add this DNS group to the Skip transparent mode destination hosts/nets boxon

the Web Protection > Filtering Options > Misc tab.

To disable endpoint protection, do the following:

1. On the Global tab, disable endpoint protection.


The toggle switch turns amber and two optionsare available.

2. Select whether you want to delete your endpo int data.

Keep ALL d ata: Use this option if you want to temporarily disable endpoint protection.

Your endpoint settings will be preserved. When enabling the feature again, the pre-

viously installed endpoints will automatically connect again and all defined policies will be

available.

Delete ALL data: Use this option if you want to reset all endpoint settings and start from

scratch. All connections to endpoints and all policy settings will be deleted. After enablingthe feature again, deploy new installation packages to the endpointsfor them to get the

new registration data (see section Computer Management > Advanced ).

3. Click Disable Endpoint Protection.

The toggle switch turns gray and endpoint protection is disabled.

380 UTM 9 WebAdmin



11.1.2 Deploy Agent

On the Endpoint Protection > Computer Management > Deploy Agent tab you can deploy the

installation files for the individual computers to be monitored via endpoint protection.

With the package there are two different ways to deploy the endpoint protection software to end-

points:

l Use theDownload Endpoint Installation Package Now button to download and save the

installation package. Then give endpoint users access to the package.

l Copy the URL which is displayed in the gray box and send it to the endpoint users. Using

the URL, endpoint users can download and install the installation package by them-

selves.

Note – The name of the installation packages must not be changed. During installation

LiveConnect compares the package name with the current registration data of the UTM. If the

information does not match, the installation will be aborted.

After installation on an endpoint, the respective computer will be displayed on the Manage Com-

puters tab. Additionallyit will automatically be assigned to the computer group defined on the

Advanced tab.

Note – The installation package can be invalidated using the Reset Registration Token button

on the Advanced tab.

11.1.3 Manage Computers

The Endpoint Protection > Computer Management > Manage Computers tab gives you an

overview of the computers which have endpoint protection installed for your UTM. The com-

puters are added to the list automatically. You can assign a computer to a group, add additional

information, modify a computer's tamper protection settings, or delete a computer from the list.

To edit the settingsof a listed computer proceed as follows:

1. Click the Edit button of the respective computer.

The Edit Computer dialog box opens.

UTM 9 WebAdmin 381




11.1 Computer Management 11 Endpoint Protection


Computer group: Select the computer group you want to assign the computer to. The

computer will receive the protection settings of the assigned group.

Type: Select the computer type, i.e. desktop, laptop, or server. The type serves to filter

the list.

Tamper protection: If enabled, modification of the protection settings on the computer

locally is only possible with a password. The password is defined on the Advanced tab. If

disabled, the endpoint user can modify protection settings without password. By default,

the setting matches the setting of the group the computer belongsto.

Inventory # (optional): Enter the inventory number of the computer.


3. Click Save.


To delete a computer from the list, click the Delete button.

Note – When you delete a computer from the list it willno longer be monitored by the UTM.

However, the installed endpoint software will not automatically be uninstalled, and the policies

last deployed will still be active.

11.1.4 Manage Groups

On the Endpoint Protection > Computer Management > Manage Groups tab you can combine

the protected computers to groups, and define endpoint protection settings for groups. All com-

puters belonging to a group share the same antivirus and device policies.

Note – Every computer belongs to exactly one group. Initially, all computers belong to the

Default group. After adding groups, on the Advanced tab you can define which group should

be the default, i.e., which group a newly installed computer will be assigned to automatically.

To create a computer group, proceed as follows:

1. Click Add Computer Group.

The Add Computer Group dialog box opens.

382 UTM 9 WebAdmin




Name: Enter a descriptive name for this group.

Antivirus policy: Select the antivirus policy to be applied to the group. The policies aredefined on the Antivirus > Policies tab. Note that you can define group-specificexceptions

from this policy on the Antivirus > Exceptions tab.

Device policy: Select the device policy to be applied to the group. The policies are

defined on the Device Control> Policies tab. Note that you can define group-specific

exceptions from this policy on the Device Control> Exceptions tab.

Tamper protection: If enabled, modification of the protection settings on the respective

endpointslocally is only possible with a password. The password is defined on the

Advanced tab. If disabled, the endpoint user can modify protection settings without pass-

word. Note that you can change the tamper protection setting for individualcomputers on

the Manage Computers tab.

Web Control: If enabled, endpoints in this group can enforce and report on web filtering

policy, even if they are not on a Sophos UTM network. To enable Endpoint Web Control,

see the Endpoint Protection > Web Control tab.

Use proxy for AutoUpdate: If enabled, the proxy attributes specified in the fields

below will be sent to the endpoints of this group. The endpoints will use the proxy data to

connect to the Internet.

Note – Make sure to enter the correct data. If the endpointsreceive wrong proxy data

they cannot connect to the Internet and to the UTM any more. In this case you will have

to change the configuration on each affected endpoint manually.

Address: Enter the proxy's IP address.

Port: Enter the proxy's port number.

User: Enter the proxy's username if required.

Password: Enter the proxy's password if required.

Computers: Add the computers to belong to the group.


UTM 9 WebAdmin 383




11.2 Antivirus 11 Endpoint Protection

3. Click Save.

The group will be created and appearson the Manage Groups list. Please note that it

maytake up to 15 minutes until all computers are reconfigured.

To either edit or delete a group, click the corresponding buttons.

11.1.5 Advanced

On the Endpoint Protection > Computer Management > Advanced tab, the following options

can be configured:

Tamper Protection: With tamper protection enabled, protection settings can only be changed

on endpoints using this password.

Default Computers Group: Select the computer group a computer will be assigned to auto-

matically, shortly after installation of endpoint protection.

Sophos LiveConnect – Registration: Thissection contains registration information about

your endpoint protection. Amongst others, the information is used to identify installation pack-

ages, and it can be used for support purposes.

If you use Sophos Enterprise Console to manage endpoints, you can use this UTM to provide

their Web Control policy. Under SEC Information, copy the Hostname and the Shared-Key into

the Web Controlpolicy editor in Sophos Enterprise Console

l Reset registration token: Click this button to prevent endpoints from being installed

with a previously deployed installation package. Typically you do this to finish your rollout.

If you want new endpointsto be installed, provide a new installation package via the

Deploy Agent tab.

Parent Proxy: Use a parent proxy if your UTM does not have direct internet access.

11.2 AntivirusOn the Endpoint Protection > Antivirus pages you can define antivirus settings for the endpoint

protection feature. You can create antivirus policies, i.e., sets of antivirus settings, which you can

subsequently apply to your computer groups to be monitored by endpoint protection. Addi-

tionally you can define exceptions for the antivirus features to be applied to specificcomputer

groups.

384 UTM 9 WebAdmin



11.2.1 Policies

On the Endpoint Protection > Antivirus> Policies tab you can manage different sets of antivirus

settings which you can subsequently apply to the computer groups monitored by endpoint pro-

tection.

By default, the antivirus policy Basic protection representsthe best balance between protecting

your computer against threats and overall system performance. It cannot be modified.

To add a new antivirus policy, proceed as follows:

1. Click the Add Policy button.

The Add Policy dialog box opens.



On-access scanning: If enabled, whenever you copy, move, or open a file, the file will

be scanned and access will only be granted if it does not pose a threat to your computer

or hasbeen authorized for use.

l Scan for PUA: If enabled, the on-access scanning will include a check for poten-

tially unwanted applications (PUAs).

Automatic cleanup: If enabled, items that contain viruses or spyware will automatically

be cleaned up, anyitems that are purely malware will be deleted, and any items that have

been infected will be disinfected. These disinfected files should be considered per-

manentlydamaged, as the virus scanner cannot know what the file contained before it

wasdamaged.

Sophos Live Protection: If the antivirus scan on an endpoint computer hasidentified a

file as suspicious, but cannot further identify it as either clean or malicious based on theSophos threat identity (IDE) files stored on the computer, certain file data (such as its

checksum and other attributes) is sent to Sophos to assist with further analysis.

The in-the-cloud checking performsan instant lookup of a suspiciousfile in the

SophosLabs database. If the file is identified as clean or malicious, the decision is sent

back to the computer and the status of the file is automatically updated.

l Send sample file:If a file is considered suspicious, but cannot be positively iden-

tified as malicious based on the file data alone, you can allow Sophos to request a

sample of the file. If this option isenabled, and Sophos does not already hold a

UTM 9 WebAdmin 385

11 Endpoint Protection 11.2 Antivirus



11.2 Antivirus 11 Endpoint Protection

sample of the file, the file will be submitted automatically. Submitting sample files

helps Sophos to continuously enhance detection of malware without the risk of

false positives.

Suspicious behavior (HIPS): If enabled, all system processes are watched for signs of

active malware, such as suspicious writes to the registry, file copy actions, or buffer over-

flow techniques. Suspiciousprocesses will be blocked.

Web protection: If enabled, the website URLs are looked up in the Sophos online data-

base of infected websites.

l Block malicious sites: If enabled, sites with malicious contents will be blocked.

l Download scanning: If enabled, during a download data will be scanned by anti-virus scanning and blocked if the download contains malicious content.

Scheduled scanning: If enabled, a scan will be executed at a specified time.

l Rootkit scan: If enabled, with each scheduled scan the computer will be scanned

for rootkits.

l Low priority scan: If enabled, the on-demand scans willbe conducted with a

lower priority. Note that this only works from Windows Vista Service Pack 2

onwards.

l Time event: Select a time event when the scans will take place, taking the time

zone of the endpoint into account.


3. Click Save.

The new policy appears on the antivirus policies list. Please note that settings changes

mayneed up to 15 minutes until all computers are reconfigured.

To either edit or delete a policy, click the corresponding buttons.

11.2.2 Exceptions

On the Endpoint Protection > Antivirus > Exceptions tab you can define computer group-specific

exceptions from the antivirus settings of endpoint protection. An exception servesto exclude

items from scanning which would be scanned due to an antivirus policy setting.

To add an exception, proceed as follows:

1.

On the Exceptions tab, click Add Exception.

The Add Exception dialog box opens.

386 UTM 9 WebAdmin




Type: Select the type of items you want to skip from on-access and on-demand scan-

ning.

l Adware and PUA: If selected, you can exclude a specific adware or PUA (Poten-

tially Unwanted Applications) from scanning and blocking. Adware displays advert-

ising (for example, pop-up messages) that may affect user productivity and system

efficiency. PUAs are not malicious, but are generally considered unsuitable for busi-

ness networks. Add the name of the adware or PUA in the Filename field, e.g.,

example.stuff.

l Scanning exclusions: If selected, you can exclude a file, a folder, or a network

drive from antivirus scanning. Enter the file, folder, or network drive in the File/Pathfield, e.g.,C:\Documents\ or \\Server\Users\Documents\CV.doc .

l Scanning extensions: If selected, you can add files with a specific extension so

that they will be scanned by antivirus scanning. Enter the extension in the Exten-

sion field, e.g.,html.

l Buffer overflow: If selected, you can prevent an application using buffer overflow

techniques from being blocked through behavior monitoring. Optionally enter the

name of the application file in the Filename field and upload the file via the Upload

field.

l Suspicious files:If selected, you can prevent a suspicious file from being

blocked through antivirus scanning. Upload the file via the Upload field. UTM gen-

erates the MD5 checksum of the file. The name of the uploaded file will auto-

matically be used for the Filename field. Optionally modify the filename. If a file

having the defined filename and the stored MD5 sum is found on the client, it will

not be blocked through antivirus scanning.

l Suspicious behaviors: If selected, you can prevent a file from being blocked

through suspicious behavior detection. Optionallyenter the name of the file in theFilename field and upload the file via the Upload field.

l Websites: If selected, websites matching the properties specified in the Web

format field will not be scanned through antivirus protection.

Web format: Specify the server(s) with the websites you want to allow to visit.

l Domain name:Enter the name of the domain to be allowed into the Web-

site field.

UTM 9 WebAdmin 387

11 Endpoint Protection 11.2 Antivirus



11.3 Device Control 11 Endpoint Protection

l IP address with subn et mask: Enter the IPv4 address and netmask of

the computers to be allowed.

l IP address: Enter the IPv4 address of the computer to be allowed.

Upload (only with types Buffer overflow , Suspicious files, and Suspicious behaviors):

Upload the file that should be skipped from antivirus scanning.

Computers Groups: Select the computer groups for which this exception is valid.


3. Click Save.



11.3 Device ControlOn the Endpoint Protection > Device Control pages you can control devices attached to com-

puters monitored by endpoint protection. Basically, in a device policy, you define which types of

devices are allowed or blocked for the computer groupsthe policy is assigned to. As soon as a

device isdetected, the endpoint protection checksif it is allowed according to the device policy

applied to the computer group of the respective computer. If it is blocked or restricted due to the

device policy it will be displayed on the Exceptions tab, where you can add an exception for the

device.

11.3.1 Policies

On the Endpoint Protection > Device Control > Policies tab you can manage different setsof

device control settings which can subsequently be applied to the computer groupsmonitored by

endpoint protection. These sets are called device policies.

By default two device policies are available: Blocked All prohibits the usage of all typesof

devices, whereas Full Access permits all rights for all devices. These policies cannot be mod-

ified.

To add a new policy, proceed as follows:

1. Click the Add Policy button.

The Add Policy dialog box opens.

388 UTM 9 WebAdmin





Storage Devices: For different types of storage devices you can configure whether theyshould be Allowed or Blocked . Where applicable, a Read only entry is available, too.

Network Devices: For modems and wireless networks you can configure whether they

should be Allowed , Block bridged , or Blocked .

Short Range Devices: For Bluetooth and infrared devices you can configure whether

theyshould be Allowed or Blocked .

3. Comment (optional): Add a description or other information.

4. Click Save.

The new policy appears on the device control policies list. It can now be applied to a com-

puter group. Please note that settings changes mayneed up to 15 minutes until all com-

puters are reconfigured.


11.3.2 Exceptions

On the Endpoint Protection > Device Control > Exceptions tab you can create protection excep-

tions for devices. An exception always allows something which is forbidden by the device policy

assigned to a computer group. Exceptions are made for computer groups, therefore an excep-

tion always applies to all computers of the selected group(s).

The Exceptions list automatically shows all detected devices that are blocked or access-restric-

ted by the applied device control policies. For floppy drives technically cannot be distinguished, if

multiple floppy drives are connected, only one entry will be displayed which serves as a place-

holder for all floppy drives.

To add an exception for a device, proceed as follows:

1. Click the Edit button of the device.

The Edit Device dialog box opens.


Allowed: Add the computer groups for which this device should be allowed.

UTM 9 WebAdmin 389

11 Endpoint Protection 11.3 Device Control



11.3 Device Control 11 Endpoint Protection

Read only or bridged: Add the computer groups for which this device should be

allowed in read-only mode (applies to storage devices) or bridged mode (applies to net-

work devices).

Apply to all: If you select this option, the current settings willbe applied to all devices

with the same device ID. This is for example useful if you want to assign a generic excep-

tion to a set of USB sticks of the same type.

Mode: This option isonly available when you unselect the Apply to all checkbox. In this

case you have to specify what becomes of other devices having the generic exception. If

you want to keep the generic exception for the affected devices, select Keep for others. If

you want to delete the generic exception, click Delete for others.

Tip – For more information and examples concerning generic exceptions, see section

Working With Generic Device Exceptions below.


3. Click Save.

The computer groups along with their exceptions will be displayed with the edited device.

Note – Once a device exists on the Exceptions list, it will stay on the list until you delete it using

the Delete button. Typically you would delete a device after the corresponding hardware

device has been removed irrevocably (e.g., optical drive does not exist any longer) or after

changing your device policies (e.g., wireless network adapters are now generally allowed).

When you delete a device which is still in use, a message box opens that you need to confirm

with OK . After that the device will be deleted from the list. If an exception existed for this device,

the exception will automatically be invalidated, i.e. the current device policy will be applied to

the device.

Working With Generic Device Exceptions

A generic device exception is an exception which is automatically applied to all devices having

the same device ID.

Creat ing a Generic Except ion

1. Click the Edit button of a device that does not have a generic exception, i.e., the Apply to

all checkbox is unselected.

390 UTM 9 WebAdmin



2. Configure the exception and select the Apply to all checkbox.

3. Save the exception.

The exception will be applied to all devices having the same device ID.

Exc luding a Device From a Generic Except ion

1. Click the Edit button of the device you want to exclude from an existing generic exception.

2. Configure the individualexception and unselect the Apply to all checkbox.

3. In the Mode drop-down list, select Keep for others.


The edited device will have an individual exception, whereas the others will keep the gen-eric exception.

Changing the Sett ings for A ll Devices Having the Generic Excep-

tion

1. Click the Edit button of one of the devices having a generic exception.

2. Configure the exception while keeping the Apply to all checkbox selected.


The settingsof all devices having the same device ID where the Apply to all checkbox isselected will be changed accordingly.

Delet ing a Generic Except ion

1. Click the Edit button of one of the devices having the generic exception.

2. Unselect the Apply to all checkbox.

3. In the Mode drop-down list, select Delete for others.

4. Save the exception.The exceptionsof all devices having the same device ID where the Apply to all checkbox

was selected will be deleted. Onlythe edited device still has an exception—an individual

one.

11.4 Endpoint Web ControlWhile the Sophos UTM provides security and productivity protection for systems browsing the

web from within your corporate network, Endpoint Web Controlextends this protection to

UTM 9 WebAdmin 391

11 Endpoint Protection 11.4 Endpoint Web Control



11.4 Endpoint Web Control 11 Endpoint Protection

user's machines. This provides protection, control, and reporting for endpoint machines that

are located, or roam, outside your corporate network. When enabled, all policies that are

defined in Web Protection > Web Filtering and Web Protection > Web Filter Profiles > ProxyPro-

files are enforced by Endpoint Web Control, even if the computer is not on a UTM network.

Sophos UTM and Sophos endpoints communicate through LiveConnect, a cloud service that

enables instant policy and reporting updates by seamlessly connecting Sophos UTM and roam-

ing Sophos endpoints. For instance, a roaming laptop at home or in a coffee shop would still

enforce Web Controlpolicy, and the Sophos UTM will receive logging information from the

roaming laptop.

11.4.1 GlobalOn the Endpoint Protection > Web Control > Global tab you can enable or disable endpoint web

control. To configure filtering policies for Endpoint Web Control, Web Controlmust be enabled

for the relevant group on the Endpoint Protection > Computer Management > Manage Groups

page, and that group must be referenced in a proxy profile on the Web Protection > Web Filter

Profiles > Proxy Profiles tab.

11.4.2 AdvancedOn the Endpoint Protection > Web Control > Advanced tab you can select Scan traffic on both

gateway and endpoint . By default, the Sophos UTM does not scan web traffic for endpoints

that have Web Controlenabled. If this option is selected, both the endpoint and the Sophos

UTM will filter web traffic. To help provide additional security, configure Web Protection > Web

Filtering > Policies to use Dual Scan (Maximum Security) within the Antivirus part of the filter

action. Alternately, select a different scan engine on the Management > System Settings > Scan

Settings tab. Either option will provide a different antivirus scanning engine on the Sophos UTM

than is included on the endpoint, increasing security.

11.4.3 Features not Supported

While there are many benefits to extending Web Controlto the Endpoint, some features are

onlyavailable from within a Sophos UTM network. The following features are supported on the

Sophos UTM, but not supported by Endpoint Web Control:

l Scan HTTPS (SSL) Traffic: HTTPS traffic cannot be scanned by the Endpoint. If the

Endpoint is proxying through the UTM and this feature is turned on, the traffic will bescanned by the UTM.

392 UTM 9 WebAdmin



l Authent ication Mode: The Endpoint will always use the currently logged on user

(SSO). The Endpoint cannot perform authentication because if the Endpoint is roaming it

will not be able to talk to the UTM to authenticate.

l Antivirus/Malware: Sophos endpoint antivirus settings are configured on the Endpoint

Protection > Antivirus page. If Web Protection (Download scanning) is turned on it will

always perform a virus single scan for all web content. Dual scan and max scanning size

are not supported.

l Active Content Removal

l YouTube for Schools

l Streaming Settings: The Sophos Endpoint will always scan streaming content for vir-

uses.

l Block Unscannable and Encrypted Files

l Block by Download Size

l Allowed Target Services: This feature applies only to the Sophos UTM.

l Web Caching: This feature applies only to the Sophos UTM.

UTM 9 WebAdmin 393

11 Endpoint Protection 11.4 Endpoint Web Control





12 Wireless ProtectionThe Wireless Protection menu allows you to configure and manage wireless accesspointsfor

your Sophos UTM, the corresponding wireless networks, and the clients which use wireless

access. The access pointsare automatically configured on your UTM, so there isno need to con-

figure them individually. The communication between the UTM and the accesspoint, which is

used to exchange the access point configuration and statusinformation, is encrypted using

AES.

Important Note – When the lightsof your access point blink furiously, do not disconnect it

from power! Furiously blinking lights mean that a firmware flash is currently in progress. A firm-

ware flash takes place for example after an UTM system update that comes with a Wireless

Protection update.


l Global Settings

l Wireless Networks

l Mesh Networks

l Access Points

l Wireless Clients

l Hotspots

The Wireless Protection overview page gives you general information on connected access

points, their status, connected clients, wirelessnetworks, mesh networks, and mesh peer links.

In the Currently Connected section, you can sort the entries by SSID or by access point, and

you can expand and collapse the individualentries by clicking the Collapse icon on the left.

L ive Log

You can clickthe Open Wireless Protection Live Log button to see detailed connection and

debug information for the accesspoints and clients trying to connect.



12.1 Global Settings 12 Wireless Protection

12.1 Global SettingsOn the Wireless Protection > Global Settings pages you can enable WirelessProtection, con-

figure network interfaces for Wireless Protection and WPA/WPA2 enterprise authentication.

12.1.1 Global Settings

On the Wireless Protection > Global Settings > GlobalSettings tab you can enable or disable

Wireless Protection.

To enable Wireless Protection do the following:

1. On the Global Settings tab, enable Wireless Protection.


The toggle switch turns amber and the Access Control area becomeseditable.

When enabling WirelessProtection for the first time, the Initial Setup section appears. It

shows the configuration which will be created: A separate wireless"Guest" network using

WPA2 personal encryption with DHCP for wireless clients, which will be allowed to use

DNS onthe UTM and the Web Surfing service. The pre-shared key isauto-generated

and will only be shown in this section. This initial configuration is intended as a template.

You can edit the settings at any time on the Wireless Protection > Wireless Networks

page.

Skip Automatic Configuration: You can also skip the initial setup by selecting this

option. You will then need to configure the wireless settings manually.

2. Select a network interface for the access point.

Click the Folder icon in the Allowed interfaces section to select a configured interfacewhere the access point is going to be plugged in. Make sure that a DHCP server is asso-

ciated to this interface.

3. Click Apply .

Your settingswill be saved. The toggle switch turns green to indicate that Wireless Pro-

tection is active.

You can now continue by plugging the accesspoint into the configured network interface.

If you decided to skip the automatic configuration, proceed the configuration on the Wire-less Networks page.

396 UTM 9 WebAdmin




As soon as you plug in an access point it will automatically connect to the system. Newly con-

nected, unconfigured access points are listed as Pending Access Points on the Access Points >Overview page.

12.1.2 Advanced

On the Wireless Protection > GlobalSettings > Advanced tab you can configure your access

points to use WPA/WPA2 enterprise authentication.

For enterprise authentication, you need to provide some information of your RADIUS server.

Note that the AP(s) do not communicate with the RADIUS server for authentication but only theUTM. Port 414 is used for the RADIUS communication between the UTM and the AP(s).

Note – When your RADIUS server is connected to the UTM via an IPsec tunnel, you have to

configure an additionalSNAT rule to ensure that the communication works correctly. On the

Network Protection > NAT >NAT tab, add the following SNAT rule: For traffic from the

APs' network(s), using service RADIUS, and going to the RADIUS server, replace the source

address with the UTM's IP address used to reach the RADIUS server.

Select the requested Radius Server from the drop down list. Servers can be added and con-

figured on Definitions & Users > Authentication Services > Servers.


12.2 Wireless Networks

On the Wireless Protection > Wireless Networks page you can define your wireless networks,such as their SSID and encryption method. Moreover, you can define whether the wireless net-

work should have a separate IP address range or be bridged into the LAN of the access point.

To define a new wireless network, do the following:

1. On the Wireless Networks page, click Add Wireless Network .

The Add Wireless Network dialog box opens.


Network name: Enter a descriptive name for the network.

UTM 9 WebAdmin 397

12 Wireless Protection 12.2 Wireless Networks



12.2 Wireless Networks 12 Wireless Protection

Network SSID: Enter the Service Set Identifier (SSID) for the network which will be

seen by clients to identify the wireless network. The SSID mayconsist of 1-32 ASCII print-

able characters

1

. It must not contain a comma and must not begin or end with a space.

Encryption mode: Select an encryption mode from the drop-down list. Default is WPA

2 Personal . We recommend to prefer WPA2 over WPA, if possible. For securityreasons,

it is recommended to not use WEP unless there are clients using your wireless network

that do not support one of the other methods. When using an enterprise authentication

method, you also need to configure a RADIUS server on the Global Settings > Advanced

tab. As NAS ID of the RADIUS server enter the wireless network name.

Passphrase/PSK: Only available with WPA/WPA2 Personal encryption mode. Enter the

passphrase to protect the wireless network from unauthorized access and repeat it in the

next field. The passphrase may consist of 8-63 ASCII printable characters.

128-bit WEP key: Only available with WEP encryption mode. Enter a WEP key here that

exactly consists of 26 hexadecimal characters.

Client t raffic: Select a method how the wireless network is to be integrated into your

local network.

l Separate zone (default): The wireless network is handled as a separate network,

having an IP address range of its own. Using this option, after adding the wireless

network you have to continue your setup as described in the section below (Next

Steps for Separate Zone Network).

Note – When switching an existing Separate Zone network to Bridge to APLAN

or Bridge to VLAN , already configured WLAN interfaces on the UTM will be dis-

abled and the interface object will become unassig ned . However, you can assign

a new hardware interface to the interface object by editing it and thus re-enable

it.

l Bridge to AP LAN: You can also bridge the wireless network into the network of

the access point, that means that the wireless clientsshare the same IP address

range.

1http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters

398 UTM 9 WebAdmin




Note – If VLAN is enabled, the wireless clients willbe bridged into the VLAN net-

work of the access point.

l Bridge to VLAN: You can decide to have this wireless network's traffic bridged to

a VLAN of your choice. This is usefulwhen you want the access points to be in a

common network separate from the wireless clients.

Bridge to VLAN ID: Enter the VLAN ID of the network that the wireless clients

should be part of.

Client VLAN ID (only available with an Enterprise encryption mode): Select how

the VLAN ID is defined:

l Static: Uses the VLAN ID defined in the Bridge to VLAN ID field.

l RADIUS & Static: Uses the VLAN ID delivered by your RADIUS server:

When a user connects to one of your wirelessnetworks and authenticates

at your RADIUS server, the RADIUS server tellsthe access point what

VLAN ID to use for that user. Thus, when using multiple wireless networks,

you can define per user who hasaccess to which internal networks. If a user

does not have a VLAN ID attribute assigned, the VLAN ID defined in the

Bridge to VLAN ID field will be used.Comment (optional): Add a description or other information.


Algorithm (only available with WPA/WPA2 encryption mode): Select an encryption

algorithm which can be either AESor TKIP . For security reasons, it is recommended to

use AES.

Frequency band: The access points assigned to this wireless network will transmit on

the selected frequency band(s). The 5 GHz band generally has higher performance,

lower latency, and istypically lessdisturbed. Hence it should be preferred for e.g. VoIP

communication. Note that only AP 50 is able to send on the 5 GHz band.

Time-based access: Select this option if you want to automatically enable and disable

the wireless network according to a time schedule.

Select active time: Select a time period definition which determineswhen the

wireless network isenabled. You can add a new time period definition by clicking

the Plus icon.

UTM 9 WebAdmin 399

12 Wireless Protection 12.2 Wireless Networks



12.2 Wireless Networks 12 Wireless Protection

Client isolation: Clients within a network normally can communicate with one another.

If you want to prevent this, for example in a guest network, select Enabled from the drop-

down list.

Hide SSID: Sometimes you want to hide your SSID. Select Yes from the drop-down list

to do so. Please note that this is no security feature.

MAC filtering type: To restrict the MAC addresses allowed to connect to this wireless

network, select Blacklist or Whitelist . With Blacklist , all MAC addresses are allowed except

those listed on the MAC address list selected below. With Whitelist , all MAC addresses

are prohibited except those listed on the MAC address list selected below.

MAC addresses: The list of MAC addresses used to restrict access to the wire-less network. MAC address lists can be created on the Definitions& Users > Net-

work Definitions > MAC AddressDefinitions tab. Note that a maximum of 200 MAC

addresses is allowed.

4. Click Save.

Your settingswill be saved. The wireless network appears on the Wireless Networks list.

Next Steps for Separate Zone Networks

When you created a wireless network with the option Separate Zone, a new corresponding vir-

tualhardware interface will be created automatically, e.g., wlan0 . To be able to use the wireless

network, some further manual configuration steps are required. Proceed as follows:

1. Configu re a new network interface.

On the Interfaces & Routing > Interfaces > Interfaces tab create a new interface and

select your wlan interface (e.g., wlan0) as hardware. Make sure that type is “Ethernet”

and specify the IP address and netmask of your wirelessnetwork.

2. Enable DHCP for the wireless clients.

For your clients to be able to connect to UTM, theyneed to be assigned an IP address

and a default gateway. Therefore, on the Network Services > DHCP > Servers tab, set

up a DHCP server for the interface.

3. Enable DNS for the wireless clients.

For your clients to be able to resolve DNS names they have to get access to DNS serv-

ers. On the Network Services > DNS > Global tab, add the interface to the list of allowed

networks.

400 UTM 9 WebAdmin



4. Create a NAT rule to mask the wireless network.

As with any other network you have to translate the wireless network's addresses into the

address of the uplink interface. You create the NAT rule on the Network Protection >

NAT > Masquerading tab.

5. Create one or more packet filter rules to allow traffic from and to the wireless

network.

As with any other network you have to create one or more packet filter rules to allow the

traffic to passthe UTM, e.g., web surfing traffic. You create packet filter rules on the Net-

work Protection > Firewall > Rules tab.

12.3 Access PointsThe Wireless Protection > Access Points pages provide an overview of the access points( AP)

known to the system. You can edit AP attributes, delete or group APs and assign wireless net-

works to APs or AP groups.

Note – With BasicGuard subscription, only one accesspoint can connect to UTM. The max-

imum number of access points is limited to 223 by any UTM appliance.

Types of Access Points

Currently, Sophos provides four different access points:

l AP 5: standards 802.11b/g/n, 2.4 GHz band

It can only be connected to a RED rev2 or rev3 with USB connector and exactly supports

one SSID with the WLAN type Bridge to AP LAN and a maximum of 7 wireless clients.

l AP 10: standards802.11b/g/n, 2.4 GHz band


There are two different AP 15 models available where the available channelsdiffer:

l FCC regulatory domain (mainly US): channels 1-11

l ETSI regulatory domain (mainly Europe): channels1–13


l AP 50: standards 802.11a/b/g/n, 2.4/5 GHz dual-band/dual-radio

There are two different AP 50 models available where the available channelsdiffer:

UTM 9 WebAdmin 401

12 Wireless Protection 12.3 Access Points



12.3 Access Points 12 Wireless Protection

l FCC regulatory domain (mainly US): channels 1-11, 36, 40, 44, 48

l ETSI regulatory domain (mainly Europe): channels 1–13, 36, 40, 44, 48

Note that the country setting of an AP regulates the available channels to be compliantwith local law.

l AP 100: standards 802.11a/b/g/n/ac, 2.4/5 GHz dual-band/dual-radio

There are two different AP 100 models available where the available channels differ:

l FCC regulatory domain (mainly US): channels 1-11, 36-48, 149-165

l ETSI regulatory domain (mainly Europe): channels 1–13, 36-64, 100-116, 132-

140

Cross Reference – For detailed information about access points see the Operating Instruc-

tions in the Sophos UTM Resource Center .

12.3.1 Overview

The Wireless Protection > Access Points > Overview page provides an overview of access

points (AP) known to the system. The Sophos UTM distinguishes between active, inactive and

pending APs. To make sure that only genuine APs connect to your network, APs need to beauthorized first.

Note – If you want to use an AP 5, first enable RED management and set up the RED. Then

make sure that the RED interface is added to the allowed interfaces on the Wireless Pro-

tection > Global Settings page. After connecting the AP5 to the RED the AP5 should be dis-

played in the Pending Access Points section.

Access points can be temporarily disabled on the Grouping tab. When an AP isphysicallyremoved from your network, you can delete it here by clicking the Delete button. As long as the

AP remains connected to your network, it will automatically re-appear in Pending state after

deletion.

Tip – Each section of this page can be collapsed and expanded by clicking the Collapse icon

on the right of the section header.

402 UTM 9 WebAdmin




Acti ve Access Po ints

Here, APs are listed that are connected, configured, and running. To edit an AP, click the Edit

button (see Editing an Access Point below).

Inact ive Access Points

Here, APs are listed that have been configured in the past but are currently not connected to the

UTM. If an AP remains in thisstate for more than five minutes, please check the network con-

nectivity of the AP and the configuration of your system. A restart of the Wireless Protection ser-

vice will erase Last Seen timestamps. To edit an AP, click the Edit button (see Editing an Access

Point below).

Pending Access Points

Here, APs are listed that are connected to the system but not yet authorized. To authorize an

access point, click the Accept button (see Editing an Access Point below).

After receiving its configuration, the now authorized access point will be immediatelydisplayed

in one of the above sections, depending on whether it is currently active or not.

Editing an Access Point

1. Click the Edit or Accept button of the respective access point.

The Edit Access Point dialog window opens.


Label (optional): Enter a label to easily identify the AP in your network.

Country: Select the country where the AP islocated.

Important Note – The country code regulateswhich channelswill be available for

transmit. To comply with local law, always select the correct country (see also chapter

Access Points).

Group (optional): You can organize APs in groups. If a group hasbeen created before,

you can select it from the drop-down list. Otherwise select << New group >> and enter a

name for the group into the appearing Name text box. Groups can be organized on the

Grouping tab.

UTM 9 WebAdmin 403





3. In the Wireless Networks section, make the following settings:

Wireless network selection (only if no group or a new group is selected): Select the

wireless networks the accesspoint should broadcast. This is useful if you have, for

example, a company wireless network that should only be broadcasted in your offices,

and a guest wireless network that should onlybe broadcasted in public parts of your build-

ing. You can search the wireless network list by using the filter field in the list header.

Note – For an accesspoint to broadcast a wireless network some conditionshave to

be fulfilled. They are explained in section Rules for Assigning Networks to APs below.

4. Optionally, in the Mesh Networks section, make the following settings (only

available with AP50 and only if a mesh networkis defined on the Mesh Networks tab):

Mesh roles: Click the Plus icon to select mesh networks that should be broadcasted by

the access point. A dialog window opens.

l Mesh: Select the mesh network.

l Role: Define the access point's role for the selected mesh network. A root access

point is directlyconnected to the UTM. A mesh access point, after having received

its initial configuration, once unplugged from the UTM will connect to a root access

point via the mesh network. Note that an access point can be mesh access pointonly for one single mesh network.

After saving, the access point icon in the Mesh roles list designates the access point's role.

Via the functional icons you can edit a mesh role or delete it from the list.

Important Note – If you delete a mesh role from the Mesh roles list, you have to plug

the access point into your Ethernet again to get its initial configuration. To change the

mesh network without having to plug the accesspoint into your Ethernet again, do not

delete the mesh role but instead click the Edit icon of the mesh role, and select the

desired mesh network.


Channel 2.4 GHz: You can keep the default setting Auto which will automatically select

the least used channel for transmit. Or you can select a fix channel.

Channel 5 GHz (only available with AP 50): You can keep the default setting Auto which

will automatically select the least used channel for transmit. Or you can select a fix chan-

nel.

404 UTM 9 WebAdmin



Tip – When you select Auto, the currently used channel will be announced in the

access point entry.

TX power 2.4 GHz: You can keep the default setting 100 % for the access point to send

with maximum power. Or you can down-regulate the power to reduce the operating dis-

tance, e.g., to minimize interference.

TX power 5 GHz (only available with AP 50): For AP 50 you can down-regulate the

power output for the 5 GHz band separately.

STP: To enable Spanning Tree Protocol, select Enabled from the drop-down list. This

network protocol detects and prevents bridge loops. STP is mandatory if the accesspoint

broadcasts a mesh network.

VLAN tagging: VLAN tagging is disabled by default. If you want to connect the AP with

an existing VLAN Ethernet interface, you need to enable VLAN tagging by selecting the

checkbox. Make sure that the VLAN Ethernet interface is added to the Allowed interfaces

box on the Global Settings > Global Settings page.

Note – To introduce the usage of VLAN for your access points in your network, take

the following steps: Connect the AP to the UTM using standard LAN for at least a

minute. This is necessary for the AP to get its configuration. Connecting it via VLAN

from the beginning, the AP would not know of being in a VLAN and therefore would not

be able to connect to the UTM to get its configuration. When the AP is displayed, enable

VLAN tagging and enter the VLAN ID. Then connect the AP to its intended VLAN, e.g.,

a switch.

Note – VLAN tagging is not possible with AP 5.

AP VLAN ID: When VLAN tagging is enabled, enter the VLAN tag of the VLAN the

access point should use to connect to the UTM. Do not use the VLAN tags0and 1asthey

usuallyhave a special meaning on networking hardware like switches, and4095 is

reserved by convention.

Note – When VLAN tagging is configured, the AP will try DHCP on the configured

VLAN for 60 seconds. If no IP address is received during that time, the AP will try DHCP

on the regular LAN as a fallback.

UTM 9 WebAdmin 405





6. Click Save.

The access point receives its configuration or configuration update, respectively.

Note – A configuration change needs approximately 15 seconds until all interfaces are

reconfigured.

If VLAN tagging is configured but the APcannot contact the UTM via VLAN, the APwill

reboot itself and try again after receiving the configuration.

Rules for Assigning Networks to APs

An access point can only be assigned to a wireless network if the Client traffic option of the wire-less network and the VLAN tagging option of the access point fit together. The following rules

apply:

l Wireless network with client trafficSeparate Zone: VLAN tagging of the access point can

be enabled or disabled.

l Wireless network with client trafficBridge to APLAN : VLAN tagging of the accesspoint

hasto be disabled.

l

Wireless network with client trafficBridge to VLAN : VLAN tagging of the access point hasto be enabled. The respective wireless clients will use the Bridge to VLAN ID specified for

the wireless network, or they willreceive their VLAN ID from the RADIUS server, if spe-

cified.

Note – An AP 5 can only be assigned one single wireless network with the Client traffic option

Bridge to AP LAN .

Reflash Bricked APsThe main reason for returned Access Points are bricked devices with a broken firmware. There-

fore you can download a tool to reflash Sophos Access Points. The tool is available here.

If you are running the tool on Windows 8, you mayhave to disable the Windows Firewall first.

To reflash a Sophos AccessPoint, proceed as follows:

1. Download the AP reflash utility.

2. Extract the downloaded files.

3. Run t he exe-file as Administrator to start the reflash utility.

406 UTM 9 WebAdmin

http://sophserv.sophos.com/repo_kb/118843/file/RED-AP_RecoveryApp.zip



4. Follow the instructions to flash the AP device.

The power-LED will flash very fast.

The process is completed if the power-LED flashs every second.

Reflash Bricked RED devices

You can download a tool to reflash Sophos RED10 devices. The tool is available here.

If you are running the tool on Windows 8, you may have to disable the Windows Firewall first.

To reflash a Sophos REDs, proceed as follows:

1. Download the reflash utility.

2. Extract the downloaded files.

3. Run t he exe-file as Administrator to start the reflash utility.

4. Follow the instructions to reflash the RED d evice.

Flashing will take about two minutes.

12.3.2 Grouping

On the Wireless Protection > AccessPoints > Grouping page you can organize access points in

groups. The list provides an overview of all access point groups and ungrouped accesspoints.

Access points and groups can be distinguished by their respective icon.

To create an access point group, proceed as follows:

1. On the Grouping page, click New Group.

The New AccessPoint Group dialog box opens.


Name: Enter a descriptive name for the access point group.

VLAN tagging: VLAN tagging is disabled by default. If you want to connect the AP with

an existing VLAN Ethernet interface, you need to enable VLAN tagging by selecting the

checkbox. Make sure that the VLAN Ethernet interface is added to the Allowed interfaces

box on the Global Settings > Global Settings page.

l AP VLAN ID: Enter the VLAN tag that should be used by this group of APsto con-

nect to UTM. Do not use the VLAN tags0and 1as theyusually have a special

UTM 9 WebAdmin 407






12.4 Mesh Networks 12 Wireless Protection

meaning on networking hardware like switches, and4095 is reserved by con-

vention.

Access point selection: Select the access points that should become membersof the

group. Only access points that are not assigned to any other group are displayed.

Wireless network selection: Select the wireless networks that should be broadcasted

by the accesspointsof thisgroup.

Note – For an accesspoint to broadcast a wireless network some conditionshave to

be fulfilled. They are explained in chapter Access Points >Overview , section Rules for

Assigning Networks to APs.

3. Click Save.

The new access point group appearson the Grouping list.

To either edit or delete a group, clickthe corresponding buttons of a group.

To either edit or delete an access point, click the corresponding buttons of an access point. For

more information about editing and deleting access points see chapter Access Points >Over-

view .

12.4 Mesh NetworksOn the Wireless Protection > Mesh Networks page you can def ine mesh networks, and asso-

ciate access points that should broadcast them. In general, in a mesh network multiple access

points communicate with each other and broadcast a common wireless network. On the one

hand, accesspointsconnected via a mesh network can broadcast the same wireless network to

clients, thus working as a single access point, while covering a wider area. On the other hand, a

mesh network can be used to bridge Ethernet networks without laying cables.

Access points associated with a mesh network can play one of two roles: root access point or

mesh access point. Both broadcast the mesh network, thus the amount of other wireless net-

works they can broadcast is reduced by one.

l Root access point: It has a wired connection to the UTM and provides a mesh net-

work. An access point can be root access point for multiple mesh networks.

l Mesh access point: It needs a mesh network to connect to the UTM via a root access

408 UTM 9 WebAdmin



point. An access point can be mesh access point for only one single mesh network at a

time.

A mesh network can be used for two main use cases: you can implement a wireless bridge or awireless repeater:

l Wireless bridge: Using two accesspoints, you can establish a wirelessconnection

between two Ethernet segments. A wireless bridge is useful when you cannot lay a cable

to connect those Ethernet segments. While the first Ethernet segment with your UTM is

connected to the Ethernet interface of the root access point, the second Ethernet seg-

ment hasto be connected to the Ethernet interface of the mesh accesspoint. Using mul-

tiple mesh access points, you can connect more Ethernet segments.

Figure 22 Mesh Network Use Case Wireless Bridge

l Wireless repeater:Your Ethernet with your UTM isconnected to the Ethernet interface

of a root accesspoint. The root accesspoint hasa wireless connection via the mesh net-

work to a mesh access point, which broadcasts wirelessnetworks to wireless clients.

Figure 23 Mesh Network Use Case Wireless Repeater

To define a new mesh network, do the following:

1. On the Mesh Networks page, click Add Mesh Network .

The Add Mesh Network dialog box opens.

UTM 9 WebAdmin 409

12 Wireless Protection 12.4 Mesh Networks



12.4 Mesh Networks 12 Wireless Protection


Mesh-ID: Enter a unique ID for the mesh network.

Frequency band: Access points assigned to this network will transmit the mesh net-work on the selected frequency band. Generally, it isa good idea to use a different fre-

quency band for the mesh network than for the broadcasted wirelessnetworks.


Access points: Click the Plus icon to select access points that should broadcast the

mesh network. A dialog window Add Mesh Role opens:

l AP: Select an access point. Note that only AP 50 access pointscan be used for

broadcasting mesh networks at the moment.

l Role: Define the access point's role for the selected mesh network. A root access

point is directlyconnected to the UTM. A mesh access point, after having received

its initial configuration, once unplugged from the UTM will connect to a root access

point via the mesh network. Note that an access point can be mesh access point

only for one single mesh network.

Note – It is crucial for the initial configuration to plug the mesh accesspoint like every

other access point into one of the Ethernet segments selected in the Allowed interfaces

box on the Global Settings tab.

Use the Delete icon in the Access Points list to delete an access point from the list.

Important Note – If you delete a mesh access point from the Access Points list, you

have to plug the access point into your Ethernet again to get its initial configuration. To

change the mesh network without having to plug the access point into your Ethernet

again, do not delete the access point but instead click the accesspoint's Edit button on

the Access Points > Overview tab, clickthe Edit icon in the Mesh Networks section, and

select the desired mesh network.

The accesspoint icon designatesan access point's role. You can search the access point

list by using the filter field in the list header.

3. Click Save.

Your settingswill be saved. The mesh network appears on the Mesh Networks list.

410 UTM 9 WebAdmin



12.5 Wireless ClientsThe Wireless Protection > Wireless Clients page gives you an overview of clients that are cur-

rently connected to an access point or have been connected in the past.

As not all clients transmit their name you can give them a name here to ease distinguishing

known clients in the overview. If clients transmit their NetBIOS name during the DHCP request,

their name isdisplayed in the table. Otherwise they willbe listed as [unknown] . You can change

the name of (unknown) clients by clicking the Plus icon in front of the name. Then enter a name

and click Save. It takes a few seconds for the change to take effect. Click the Reload button in

the upper right corner of WebAdmin to see the name of the client. If you want to change the

name, click the Edit button.

Note – Adding a name to a client can have a short effect on the performance.

You can also delete clients from the table by clicking the Delete icon.

A restart of the Wireless Protection service will erase Last seen timestamps.

12.6 HotspotsOn the Wireless Protection > Hotspots pages you can manage access with the captive portal sys-

tem. The Hotspot feature allows cafés, hotels, companies, etc. to provide time- and traffic-

restricted Internet access to guests. The feature is available within the wirelesssubscription, but

also workswith wired networks.

Note – Technically, the Hotspot feature serves to restrict traffic which is basicallyallowed by

the firewall. Therefore you have to ensure that a firewall rule exists which allows the traffic to

be managed via the hotspots. It is recommended to test the traffic with the hotspot feature dis-

abled before enabling the hotspots.

Note – If the Hotspot feature is used in combination with an active-active cluster setup, the

respective traffic cannot be distributed between master and workers. All traffic from and to the

hotspot interfaces will be directed through the master.

UTM 9 WebAdmin 411

12 Wireless Protection 12.5 Wireless Clients



12.6 Hotspots 12 Wireless Protection

Hotspot Generation

In a first step, the administrator creates and enables a hotspot with a specific type of access.

The following types are available:

l Terms of use acceptance: The guest is presented a terms of use, which you can

define, and has to select a checkbox to get access.

l Password of the day: The guest hasto enter a password to get access. The password

changes on a daily basis.

l Voucher: The guest gets a voucher and has to enter the voucher code to get access.

The voucher can be limited in the number of devices, in time, and traffic.

Distribution of Access Information to Guests

With the typesPassword of the day and Voucher , the access information has to be handed out

to the guests. Therefore you can define users who are allowed to manage and distribute access

information. Those users receive and distribute the access information via the Hotspot tab of

the User Portal:

l Password of the day: The current password can be sent via email and the usersfind

the password in the User Portal. The users forward the password to the guests. They

can generate or enter a new password. Hereby, the former password automatically

becomes invalid and active sessions will be terminated. Potential other users will be

informed of the new password, either by email or via the User Portal, depending on what

isconfigured for them.

l Voucher: In the User Portal, users have the possibility to create vouchers, each with a

unique code. Different types of voucherscan be available if specified by the admin-

istrator. The vouchers can be printed or exported and given to the guests. A list of cre-ated vouchersgives an overview about their usage and helps to manage them.

Legal Information

In many countries, operating a publicwireless LAN issubject to specific national laws, restricting

access to websites of legallyquestionable content (e.g., file sharing sites, extremist websites,

etc.). To meet this requirement, you can combine the hotspot with the web protection cap-

abilities of the Sophos UTM, which allow you to control web access by blocking and allowingeverything from an entire website category type to a single URL. The UTM gives you complete

412 UTM 9 WebAdmin



control over what is allowed to be accessed, by whom, and when. That way you can put the hot-

spot under heavy restrictions, if nationalor corporate policies require you to do so.

Using the built-in HTTP proxy of Sophos UTM also gives you advanced logging and reportingcapabilities. The reporting will show who visited what site, when, and how many times, allowing

you to identify inappropriate usage in case you want to operate a hotspot without anyaccess

restrictions.

In addition to that, legal regulationsmay require you to register your hotspot at the national's reg-

ulatory body.

12.6.1 GlobalOn the Wireless Protection > Hotspots > Global tab you can enable the Hotspots feature and

define users who are allowed to view and distribute hotspot access information.

To configure hotspots, proceed as follows:

1. On the Global tab, enable the Hotspots.


The toggle switch turns green and the Global Hotspot Settings area becomes editable.

2. Select the allowed users.

Select the users or groups or add new users that should be able to provide hotspot

access information via the User Portal. Users selected here can change the password of

the day and are able to create hotspot vouchers. How to add a user is explained on the

Definitions& Users > Users & Groups > Users page.

3. Click Apply .


L ive Log

The Hotspotslive log gives you information on the usage of the hotspots. Clickthe Open Live

Log button to open the Hotspots live log in a new window.

Download Templates

Here you can download the hotspot login template and the voucher template that are used by

default when adding a new hotspot. You can modify the default templates to customize your hot-

spot login page or the voucher design without the need to create them from scratch. You can

upload the customized HTML and PDF template on the Wireless Protection > Hotspots> Hot-spots tab.

UTM 9 WebAdmin 413

12 Wireless Protection 12.6 Hotspots




1. Click the blue Download icon.

The Download Certificate File dialog window opens.

2. Save the file.The file will be downloaded.

12.6.2 Hotspots

On the Wireless Protection > Hotspots > Hotspots tab you can manage different hotspots.

Note – A hotspot has to be assigned to an existing interface, typicallya WLAN interface. All

hosts using this interface will automatically be restricted by the hotspot. Therefore, before youcreate a hotspot you would typically create a wirelessnetwork with client traffic Separate

Zone, then create an interface for the respective WLAN interface hardware. For more inform-

ation see Wireless Protection > Wireless Networks.

To create a hotspot, proceed as follows:

1. Click Add Hotspot .

The Add Hotspot dialog box opens.


Name: Enter a descriptive name for this hotspot.

Interfaces: Add the interfaces which are to be restricted by the hotspot. Please ensure

that for the selected interfaces a firewall rule exists which allows the desired traffic. An

interface can only be used by one hotspot.

Caution – You should not select an uplink interface here because traffic to the Internet

will completely be blocked afterwards. Additionally, we strongly advise against using

interfaces used by servers which provide essential services like authentication. You

may irreversibly lockyourself out of WebAdmin!

Hotspot type: Select the hotspot type for the selected interfaces.

l Password of the day: A new password will be created automatically once a day.

This password will be available in the User Portal on the Hotspots tab which is avail-

able to all users specified on the Global tab. Additionallyit will be sent to the spe-

cified emailaddresses.

414 UTM 9 WebAdmin



l Voucher (not available with BasicGuard subscription): With this hotspot type, in

the User Portal tokens with different limitations and properties can be generated,

printed and given to customers. After entering the code, the customers can then

directlyaccess the Internet.

l Terms of Use Acceptance:Customers can access the Internet after accepting

the Terms of Use.

l Backend Authent ication: With this hotspot type, users can authenticate via any

supported backend mechanism (see Definitions & Users > Authentication

Services). With thistype, the user credentials are stored to periodicallycheck if the

user is still authorized.

l SMS Authent ication: With this hotspot type, users can authenticate via mobilephone. A verification code will be sent via SMS and after entering within a certain

time frame, the access will be granted.

Note – If you select Backend Authentication a new entry field for OTP token appears

on the Login Form if Hotspot is configured as an OTP facility.

Password creation time (only with Hotspot type Password of the day ): The assigned

time of the day at which the new password will be created. At this time the former pass-word will immediately get invalid and current sessions will be cut off.

Send password by email to (only with Hotspot type Password of the day ): Add email

addresses to which the password shall be sent.

Voucher definitions (only with Hotspot type Voucher ): Add or select the voucher defin-

itions you want to use for the hotspot. How to add a voucher definition is explained on the

Voucher Definitions page.

Devices per voucher (only with Hotspot type Voucher ): Enter the number of deviceswhich are allowed to log in with one voucher during its lifetime. It is not recommended to

use the unlimited entry.

Hotspot users (only with Hotspot type Backend Authentication): Select the usersor

user groups or add the users that should be able to access the hotspot via backend

authentication. Typically, thisis a backend user group.

UTM 9 WebAdmin 415





SMS text (only with Hotspot type SMS Authentication): On demand change the text for

the verification SMS. Note that <?CODE?> will be replaced by the verification code auto-

matically.

Session expires (only with Hotspot type Terms of Use Acceptance,

SMS Authentication or Backend Authentication): Select the time span after which the

access will expire. After that, with the hotspot type Terms of Use Acceptance, the users

have to accept the termsof use again to log in. With the hotspot type Backend Authentic-

ation, the users have to authenticate again.

Users have to accept terms of use (not with Hotspot type Terms of Use

Acceptance): Select this option if you want the hotspot users to accept your terms of use

before accessing the Internet.

l Terms of use: Add the text to be displayed as terms of use. Simple HTML

markup and hyperlinks are allowed.

Redirect to URL after login: If selected, after entering the password or the voucher

data, the users will be redirected automatically to a particular URL, e.g., your hotel's web-

site or a webpage stating your portal system policies.

l URL: URL to which the user is redirected.


3. Optionally, make the following ho tspot custo mization settings:

By default, the user will be presented a login page with the Sophos logo. You can use a

customized HTML file with your own images and stylesheets. Additionally, you can cus-

tomize the voucher layout.

Customization type: Select the customization type. The following types are available:

l Basic: Use the default login page template. If required, change logo, title, and

text.

Logo: Upload a logo for the login page. Supported image file types are jpg, png

and gif. A maximum image width of 300 px and height of 100 pxis recommended

(depending on the title length). Use the Restore Default button to select the default

Sophos logo again.

Scale logo to recommended size: If selected, a logo exceeding the recom-

mended width or height will be scaled down and displayed in the recommended

size. If not selected, the logo will be displayed in the originalsize.

416 UTM 9 WebAdmin



Title: Add a title for the login page. Simple HTML markup and hyperlinks are

allowed.

Custom text: Add an additional text for the login page. You can for example enter

the SSID of the wireless network to be used. Simple HTML markup and hyperlinks

are allowed.

l Full: Select an individual login HTML page.

Login page template: Select the HTML template you want to use for your indi-

vidual login page. Clicking the Folder icon opens a window where you can select

and upload the file. Use the Restore Default button to select the default Sophos

HTML template again. In this template, you can use variables that can dynamically

insert information for each hotspot. For example, you can add the company name

and administrator information, the terms of use and the login form. See detailed

information below, in Using Variables in Login Page Template. You can download

the default HTML template on the WirelessProtection > Hotspots> Global tab.

Images / Stylesheets: Add filesthat are referenced in your login page template,

e.g., images, stylesheets, or JavaScript files. Clicking the Folder icon opens a win-

dow where you can select and upload the files.

Voucher template (only with hotspot type Voucher ): Clicking the Folder icon opens awindow where you can select and upload the PDF file with the voucher layout. By default,

a default template is used. You can restore the default clicking the Restore Default but-

ton. The voucher PDF file hasto have a PDF version PDF 1.5 or lower. It mayhave any

page size and format—both size and format willbe adjust during voucher creation in the

User Portal, depending on page size and number of vouchers per page specified there.

You can download the default PDF template on the Wireless Protection > Hotspots >

Global tab.

The PDF file may contain the following variables that will be replaced with the respectivevalues during voucher generation in the User Portal:

l Wireless network name (SSID):<?ssid0?> (and <?ssid1?>, <?ssid2?> and so

on, if the WLAN has more than one SSIDs)

l Wireless network password:<?psk0?> (and<?psk1?>, <?psk2?> and so on, if

the WLAN has more than one SSIDs)

l Voucher code:<?code?>

l Voucher validity time:<?validity?>

UTM 9 WebAdmin 417





l Voucher data limit: <?datalimit?>

l Voucher time limit:<?timelimit?>

l Comment:<?comment?>

l QR code with the hotspot access data encoded:<?qrX?>. The upper left corner of

the QR code willbe placed on the lower left corner of the variable.

Note – When using variables, the PDF file must include the entire character sets of the

fonts used. When a variable is replaced by its value, and one of the substitute char-

acters is not available, it will be displayed incorrectly. We recommend to add the string

<?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?>

to your PDF file, which will automatically be removed during voucher generation. Addi-

tionally, it is recommended to use a separate line for the variables as the layout could

get corrupted if the substituted text is too long.

4. Click Save.

The hotspot will be created and appearson the Hotspots list.

Tip – You can open a preview of the login page after saving the hotspot. In the Hotspots list

just click the button Preview Login Page of the respective hotspot.

To either edit or delete a hotspot, click the corresponding buttons.

Using Variables in Login Page Template

The HTML template for the login page may contain various variables that can dynamically insert

information for the hotspot login page. When the UTM processes a template in order to display

a login page, it replaces any template variables with the relevant value. Valid variables are:l General variables

<?company_text?>: Custom company text as defined on Management > Customization

> Global

<?company_logo?>: Company logo as defined on Management > Customization >

Global . The variable will be replaced by the path of the logo file, usage e.g., <img

src="<?company_logo?>">

418 UTM 9 WebAdmin



<?admin_contact?>: Administrator name or address as defined on Management >

Customization > Web Messages

<?admin_message?>: Administrator information label as defined on Management > Cus-tomization > Web Messages (default: Your cache administrator is:)

<?error?>: Error message that arose while trying to log in.

l Variables used for all hotspot types

<?terms?>: Terms of use (as defined on Hotspots page)

<?redirect_host?>: Redirect URL that is specified for the hotspot (as defined on Hot-

spots page)

<?location?>: URL the user requested

<?location_host?>: Hostname of the URL the user requested

<?login_form?>: Login form suitable for the respective hotspot type: Password text

box, Token text box, Username and Password text boxes, or Accept checkbox, and

Login button. For creating customized login forms, see User Specific Login Form below.

<?asset_path?> (only important for customization mode Full ): Hotspot-specific dir-

ectory for storage of images or stylesheets(example usage:<img src="<?asset_

path?>/logo.png">)

l Variables onlyused for Voucher type hotspots

<?maclimit?> Number of allowed devices per voucher of this hotspot (as defined on

Hotspots page)

<?numdevices?>: Number of devices used for this voucher

<?timeend?>: End of validity period (as defined on Voucher Definitions page)

<?time_total?>: Total time quota allowed (as defined on Voucher Definitions page)

<?time_used?>: Time quota used up (asdefined on Voucher Definitions page)

<?traffic_total?>: Total data volume allowed (as defined on Voucher Definitions

page)

<?traffic_used?>: Data volume used up (asdefined on Voucher Definitions page)

Templatescan contain if variables that make up sections like the ones shown below. Each sec-

tion hasan opening and a closing variable. The contents of an if section is only displayed on a

specific condition.

UTM 9 WebAdmin 419





If Section Meaning

<?if_loggedin?>

<?if_loggedin_ end?>

Section is displayed when the user has successfully logged in.

<?if_notloggedin?>

<?if_notloggedin_

end?>

Section is displayed when the user has not yet logged in, e.g., because

terms of use have to be accepted or because an error occurred.

<?if_authtype_

password?>

<?if_authtype_

password_end?>

Section is displayed when hotspot type isPassword of the day .

<?if_authtype_dis-

claimer?>

<?if_authtype_dis-

claimer_end?>

Section is displayed when hotspot type isTerms of Use Acceptance.

<?if_authtype_

token?>

<?if_authtype_

token_end?>

Section is displayed when hotspot type isVoucher .

<?if_authtype_

backend?>

<?if_authtype_

backendtoken_

end?>

Section is displayed when hotspot type isBackend Authentication.

<?if_location?>

<?if_location_

end?>

Section is displayed when the user has been redirected.

<?if_redirect_url?>

<?if_redirect_url_

end?>

Section is displayed when the checkbox Redirect to URL after login is

enabled.

<?if_not_redirect_

url?>

<?if_not_redirect_

url_end?>

Section is displayed when the checkbox Redirect to URL after login is dis-

abled.

420 UTM 9 WebAdmin



If Section Meaning

<?if_timelimit?>

<?if_timelimit_ end?>

Section is displayed when a validity period isset for a voucher.

<?if_trafficlimit?>

<?if_trafficlimit_

end?>

Section is displayed when a data volume isset for a voucher.

<?if_timequota?>

<?if_timequota_

end?>

Section is displayed when a time quota is set for a voucher.

<?if_maclimit?><?if_maclimit_

end?>

Section is displayed when a Devices per voucher value is specified.

<?if_terms?>

<?if_terms_end?>

Section is displayed when Terms of Use are defined and enabled.

<?if_error?>

<?if_error_end?>

Section is displayed when an error occurred while trying to log in.

User-Specific Login FormIf you want to create your own login form instead of using the pre-defined<?login_form?>

variable, consider the following:

l Enclose the form in the following tags:

<form action="?action=login" method="POST"> ... </form>

l For a Terms of Use Acceptance hotspot, add a checkbox named "accept":

<input type="checkbox" name="accept">

l For Password of the Day or Voucher hotspots, add a text boxnamed "token":

<input type="text" name="token">

l For a Backend Authentication hotspot, add the two text boxes named "username" and

"password":<input type="text" name="username">

<input type="password" name="password">

l Add a means to submit the form, e.g., a Login button:

<input type="submit" name="login" value="Login">

UTM 9 WebAdmin 421





12.6.3 Voucher Definitions

On the Wireless Protection > Hotspots > Voucher Definitions tab you can manage different

voucher definitions for voucher type hotspots.

To create a voucher definition, proceed as follows:

1. Click Add Voucher Definition.

The Add Voucher Definition dialog box opens.


Name: Enter a descriptive name for this voucher definition.

Validity period: Enter the time span for which a voucher with this definition will be valid.

Counting is started at the first login. It is highly recommended to enter a time period.

Note – The maximum time for the Validity Period istwo years.

Time quota: Here you can restrict the allowed online time. Enter the maximum online

time after which a voucher of this definition expires. Counting isstarted at login and is

stopped at logout. Additionally, counting is stopped after 5 minutes of inactivity.

Note – The maximum time for the Time Quota is two years.

Data volume: Here you can restrict the allowed data volume. Enter the maximum data

volume to be transmitted with this voucher definition.

Note – The maximum Data Volume is 100 GB.


3. Click Save.

The voucher definition will be created. It can now be selected when creating a voucher-

type hotspot.

To either edit or delete a voucher definition, click the corresponding buttons.

422 UTM 9 WebAdmin



12.6.4 Advanced

General Voucher Opt ions

Here you can decide if and after which time interval you want to delete expired vouchersfrom

the database. In the hotspot log you will still find information about the deleted vouchers.

Walled Garden

Add or select specific hosts or networks to be always accessible by all users, without entering a

password or a voucher code. How to add a definition isexplained on the Definitions & Users >

Network Definitions > Network Definitions page.

UTM 9 WebAdmin 423






13 Webserver ProtectionThis chapter describeshow to configure the web application firewall of Sophos UTM which pro-

tects your webservers against attacks and malicious behavior.


l Web Application Firewall

l Reverse Authentication

l Certificate Management

13.1 Web Application FirewallUsing the Web Application Firewall (WAF), also known as reverse proxy, Sophos UTM letsyou

protect your webservers from attacks and malicious behavior like cross-site scripting (XSS),

SQL injection, directory traversal, and other potent attacks against your servers. You can define

external addresses (virtual webservers) which should be translated into the "real" machines in

place of using the DNAT rule(s). From there, servers can be protected using a variety of pat-

terns and detection methods. In simpler terms, this area of UTM allows the application of terms

and conditions to requests which are received and sent from the webserver. It also offers load

balancing across multiple targets.

13.1.1 Virtual Webservers

On the Web Application Firewall > Virtual Webservers tab you can create virtual webservers.

Those webservers, as part of the UTM, build the firewall between the Internet and your web-

servers. That is why this kind of intervention is also known as reverse proxy. The UTM picks up

the requests for the webservers and protects the real webservers from various attacks. Each vir-

tual server maps to a realwebserver and determines what level of protection is applied. You

can also use more than one realwebserver in one virtual webserver definition. That way you

get load balancing for your r eal webservers.

With different certificates, Sophos UTM allows multiple Virtual Webservers using HTTPS with

the same interface and port. With Server Name Indication (SNI) support, Webserver Protection

will present the correct Virtual Webserver to the client, based on the requested hostname.

To add a virtual webserver, do the following:



13.1 Web Application Firewall 13 Webserver Protection

1. Click the New Virtual Webserver button.

The Create Virtual Webserver dialog box opens.

2. Make the following settings:Name: Enter a descriptive name for the virtual webserver.

Interface: Select an interface from the drop-down list over which the webserver can be

reached.

Note – If there is an interface with an IPv4 address and an IPv6 link local address

defined as frontend interface, the virtual webserver is only reachable at the IPv4

address. Interfaces for which only an IPv6 link local address is defined can not be selec-

ted as frontend interface for a virtual webserver.

Type: Determine whether you want the communication between the client and the vir-

tualwebserver to be Encrypted (HTTPS) or Plaintext (HT TP). When you want to use

reverse authentication, we highly recommend to select Encrypted (HTTPS) for security

reasons.

Port: Enter a port number on which the virtual webserver can be reached from external.

Default is port 80 with Plaintext (HT TP) and port 443 withEncrypted (HTTPS).

Redirect from HTTP to HTTPS (only with Encrypted (HTTPS)): If enabled, users

entering the URL withouthttps://will be redirected automatically to the virtual web-

server.

Certificate (only with Encrypted (HTTPS)): Select the webserver's certificate from the

drop-down list. The certificate needs to be created beforehand on the webserver, and be

uploaded on the Certificate Management > Certificates tab.

Domain: This field displays the hostname for which the certificate had been cre-

ated.

Domains (only with SAN certificates): The WAF supports Subject Alternative

Name (SAN) certificates. All hostnames covered by a certificate will be listed in this

box. You can then select one or more hostnames by selecting the checkboxin front

of a hostname.

Domains (only with Plaintext (HTTP) or Encrypted (HTTPS) with wildcard certificate):

Enter the domains the webserver is responsible for as FQDN, e.g.shop.example.com,

or use the Action icon to import a list of domain names. You can use an asterisk (*) as a

426 UTM 9 WebAdmin



wildcard for the prefix of the domain, e.g.,*.mydomain.com. Domains with wildcardsare

considered as fallback settings: The virtual webserver with the wildcard domain entry is

only used when no other virtual webserver with a more specific domain name is con-figured. Example: A client request toa.b.cwill match a.b.cbefore *.b.cbefore *.c.

Real Webservers: Create a new realwebserver or select the checkbox in front of the

webserver you want to applythe firewall profile to. If you have mirroring webservers you

can also select more than one webserver. By default, traffic will be load-balanced

between the selected webservers. The implemented request counting algorithm auto-

matically assigns each new request to the webserver with the lowest number of active

requests at present. On the Site Path Routing tab you can specify detailed balancing

rules.

Firewall Profile: Select a firewall profile from the drop-down list. This profile is applied to

protect the selected webservers. You can also select No Profile to not use any firewall pro-

file.



Disable compression support (optional): By default, this checkbox isdisabled and the

content is sent compressed when the client requests compressed data. Compressionincreases transmission speed and reduces page load time. However, in case of websites

being displayed incorrectlyor when users experience content-encoding errors accessing

your webservers, it can be necessary to disable compression support. When the check-

boxis enabled, the WAF willrequest uncompressed data from the realwebservers of this

virtual webserver and will send it on uncompressed to the client, independent of the

HTTP request's encoding parameter.

Rewrite HTML (optional): Select this option to have the UTM rewrite links of the

returned webpages in order for the links to stay valid. Example: One of your real web-server instances has the hostnameyourcompany.local but the virtual server's host-

name on the UTM isyourcompany.com. Thus, absolute links like<a

href="http://yourcompany.local/"> will be broken if the link is not rewritten to<a

href="http://yourcompany.com/"> before delivery to the client. However, you do

not need to enable this option if either yourcompany.com is configured on your web-

server or if internal links on your webpages are always realized as relative links. It is

recommended to use the option with Microsoft's Outlook Web Access and/or Sharepoint

Portal Server.

UTM 9 WebAdmin 427

13 Webserver Protection 13.1 Web Application Firewall




Note – It is likely that some links cannot be rewritten correctly and are therefore

rendered invalid. Ask your website author(s) to format links consistently.

Apart from URL rewriting, the HTML rewriting feature also fixes malformed HTML, for

example:

o <title> tags are moved in DOM tree from nodehtml > title to correcthtml

> head > title

o Quotes around HTML attribute values are fixed (e.g.,name="value" becomes

name="value")

Note – HTML rewriting affects all files with a HTTP content type of text/*or *xml*,

where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct

HTTP content type, otherwise they may get corrupted by the HTML rewriting feature.

Cross Reference – Please see the libxmldocumentation for further information

(http://xmlsoft.org/html/libxml-HTMLparser.html).

Rewrite Cookie (optional, only visible if Rewrite HTML is enabled): Select this option to

have the UTM rewrite cookies of the returned webpages.

Note – If Rewrite HTML isdisabled the Rewrite Cookie option will be also disabled.

Pass host header (optional): When you select this option, the host header as reques-

ted by the client will be preserved and forwarded along with the web request to the web-

server. Whether passing the host header is necessary in your environment however

depends on the configuration of your webserver.

4. Click Save.

The server is added to the Virtual Webservers list.

5. Enable the virtual webserver.

The new virtual webserver is disabled by default (toggle switch is gray). Click the toggle

switch to enable the virtual webserver.

The virtual webserver isnow enabled (toggle switch is green).

428 UTM 9 WebAdmin

http://xmlsoft.org/html/libxml-HTMLparser.html



Note – The virtualwebserver can not be enabled if the corresponding interface is dis-

abled. The interface can be enabled on Interfaces & Routing > Interfaces > Interfaces.

The Virtual Webservers list displays a status icon for each real webserver assigned to a virtual

webserver. The status icon of a realwebserver is red when the realwebserver has not been

enabled. It is amber when the real webserver is down or unavailable and green if everything is

working.

13.1.2 Real Webservers

On the Web Application Firewall > Real Webservers tab you can add the webserversthat are to

be protected by the WAF.

To add a webserver, do the following:

1. Click the New Real Webserver button.

The Create Real Webserver dialog box opens.


Name: Enter a descriptive name for the webserver.

Host: Add or select a host, which can either be of the type Host or DNS Host . We highly

recommend to use the DNS hostname here because hosts listed with their IP address

transmit empty host headers which leads to problems with some browsers. How to add a

definition is explained on the Definitions& Users > Network Definitions > Network Defin-

itions page.

Type: Determine whether you want the communication between the UTM and the web-

server to be Encrypted (HTTPS) or Plaintext (HTTP).

Port: Enter a port number for the communication between the UTM and the webserver.

Default is port 80 with Plaintext (HTTP) and port 443 withEncrypted (HTTPS).



Enable HTT P Keepalive: By default, the WAF uses HTTP keepalive, i.e., HTTP per-

sistent connections, which helps to reduce CPU and memory usage. In rare cases where

the realwebserver does not support HTTP keepalive properly, this feature can provoke

reading errors or timeouts and should then be disabled for the affected webserver.

UTM 9 WebAdmin 429





When a virtual webserver isassigned at least one real webserver with HTTP keepalive

disabled, the feature will automatically be disabled for all real webservers assigned to this

virtual webserver.

Timeout: Here you can enter the timeout for the HTTP Keepalive. Valuesbetween 1

and 65535 seconds are allowed. Data can be received as long as the backend sends

data before the timeout expires. After expiring WAF sends HTTP 502 message to clients.

The default timeout is 300 seconds.

4. Click Save.

The server is added to the Real Webservers list.

The webservers present can now be assigned firewall profiles on the Virtual Webservers tab.

13.1.3 Firewall Profiles

On the Web Application Firewall > Firewall Profiles tab you can create WAF profiles that define

the modes and levelsof protection for your webservers.

To create a WAF profile, do the following:

1. Click the New Firewall Profile button.

The Create Firewall Profile dialog box opens.


Name: Enter a descriptive name for the profile.

Pass Outlook Anywhere: Allows external Microsoft Outlook clients to access the

Microsoft Exchange Server via the WAF. Microsoft Outlook traffic will not be checked or

protected by the WAF.

Mode: Select a mode from the drop-down list:

l Monitor: HTTP requests are monitored and logged.

l Reject: HTTP requests are rejected.

The selected mode is applied when an HTTP request meets any one of the conditions

selected below.

Common Threats Filter: If enabled, you can protect your webservers from several

threats. You can specify the threat filter categories you want to use in the Threat Filter

Categories section below. All requests willbe checked against the rule setsof the

430 UTM 9 WebAdmin



selected categories. Depending on the results, a notice or a warning will be shown in the

live log or the request will be blocked directly.

Rigid Filtering: If enabled, severalof the selected rules willbe tightened. This

may lead to false positives.

Skip Filter Rules: Some of the selected threat categories may contain rules that

lead to false positives. To avoid false positives induced by a specific rule, add the

rule number that you want to skip to this box. WAF rule numbers can for example

be retrieved on the Logging & Reporting > Webserver Protection > Detailspage,

via the Top Rules filter.

Cookie Signing: Protects a webserver against manipulated cookies. When the web-server sets a cookie, a second cookie is added to the first cookie containing a hash built of

the primary cookie's name, its value and a secret, where the secret is only known by the

WAF. Thus, if a request cannot provide a correct cookie pair, there has been some sort

of manipulation and the cookie will be dropped.

URL Hardening: Protects against URL rewriting. For that, when a client requests a

website, all URLs of the website are signed. The signing uses a similar procedure as with

cookie signing. Additionallythe response from the webserver is analyzed regarding what

links can be validly requested next. Hardened URLscan furthermore be bookmarkedand visited later. Select one of the following methods to define entry URLs:

l Entry URLs Specified Manually: Enter URLsthat serve as kind of entry URLs

of a website and therefore do not need to be signed. They need to comply with the

syntaxof the following examples: http://shop.example.com/products/ ,

https://shop.example.com/products/ or /products/.

l Entry URLs from Uploaded Google Sitemap File:You can upload a sitemap

file here which contains information on your website structure. Sitemap files can be

uploaded in XML or in plain-text format, the latter simply containing a list of URLs.

As soon as the profile is saved, the sitemap file is going to be parsed by the WAF.

l Entry URLs from Google Sitemap URL: You can have the UTM download a

sitemap file from a defined URL which contains information on your website struc-

ture. This file can be checked for updates at a regular interval. As soon as the pro-

file is saved, the sitemap file is going to be downloaded and parsed by the WAF.

URL: Enter the path to the sitemap as absolute URL.

UTM 9 WebAdmin 431





Update: Select an update interval from this drop-down list. When you select

Manual the sitemap is going to be updated only when you save this profile anew.

Note – When using Reverse Authentication with frontend mode Form on a des-

ignated path, it is not necessary to specify entry URLs for the login form and for

this path. How to configure the path is described on the Webserver Protection >

Web Application Firewall > Site Path Routing page.

Note – URL hardening affects all files with a HTTP content type of text/*or *xml*,


HTTP content type, otherwise they may get corrupted by the URL hardening feature.

Form Hardening: Protects against web form rewriting. Form hardening saves the ori-

ginal structure of a web form and signs it. Therefore, if the structure of a form has

changed when it is submitted the WAF rejects the request.

Note – Form hardening affects all files with a HTTP content type of text/* or *xml*,


HTTP content type, otherwise they may get corrupted by the form hardening feature.

Antivirus: Select this option to protect a webserver against viruses.

Mode: Sophos UTM features several antivirus engines for best security.

l Single Scan: Default setting; provides maximum performance using the

engine defined on the System Settings > Scan Settings tab.

l Dual Scan: Provides maximum recognition rate by scanning the respective

traffic twice using different virus scanners. Note that dual scan is not avail-

able with BasicGuard subscription.

Direction: Select from the drop-down list whether to scan only up- or downloads

or both.

Block unscannable content: Select this option to block files that cannot be

scanned. The reason for that maybe, among other things, that files are encrypted

or corrupt.

432 UTM 9 WebAdmin



Limit scan size: Selecting this option gives you the possibility to enter the scan

size limit into an additionalfield. Provide the limitation in Megabyte.

Note – If you do not enter a limitation value it will be saved with '0' megabytes

which means the limitation isnot active.

Block clients with bad reputation: Based on GeoIP and RBL information you can

block clients which have a bad reputation according to their classification. Sophos uses

the following classification providers:

RBL sources:

l Commtouch IP Reputation (ctipd.org)

l dnsbl.proxybl.org

l http.dnsbl.sorbs.net

The GeoIP source is Maxmind. The WAF blocksclients that belong to one of the fol-

lowing Maxmind categories:

l A1: Anonymousproxies or VPN services used by clients to hide their IP

address or their original geographical location.

l A2: Satellite providers are ISPs that use satellites to provide Internet access to

users all over the world, often from high risk countries.

Skip Remote Lookups for Clients with Bad Reputation: As reputation look-

ups include sending requests to remote classification providers, using reputation-

based blocking may slow down your system. Select this checkbox to only use

GeoIP-based classification which uses cached information and istherefore much

faster.


3. Optionally, select the fo llowing th reat filter categories(only available when Com-

mon Threats filter is enabled):

Protocol Violations: Enforces adherence to the RFC standard specification of the

HTTP protocol. Violating these standards usually indicatesmalicious intent.

Protocol Anomalies: Searches for common usage patterns. Lack of such patterns

often indicates malicious requests. These patterns include, among other things, HTTP

headers like 'Host' and 'User-Agent'.

UTM 9 WebAdmin 433


http://www.maxmind.com/app/country




Request Limits: Enforces reasonable limits on the amount and ranges of request argu-

ments. Overloading request arguments is a typical attackvector.

HTTP Policy: Narrows down the allowed usage of the HTTP protocol. Web browsers

typically use only a limited subset of all possible HTTP options. Disallowing the rarely used

options protects against attackers aiming at these often lesswell supported options.

Bad Robots: Checks for usage patterns characteristicof botsand crawlers. By denying

them access, possible vulnerabilities on your webservers are less likely to be discovered.

Generic Attacks: Searches for attempted command executions common to most

attacks. After having breached a webserver, an attacker usually tries to execute com-

mands on the server like expanding privileges or manipulating data stores. By searchingfor these post-breach execution attempts, attacks can be detected that might otherwise

have gone unnoticed, for example because they targeted a vulnerable service by the

means of legitimate access.

SQL Injection At tacks: Checksfor embedded SQL commands and escape characters

in request arguments. Most attacks on webservers target input fields that can be used to

direct embedded SQL commands to the database.

(XSS) Attacks: Checks for embedded script tags and code in request arguments. Typ-

ical cross-site scripting attacks aim at injecting script code into input fields on a target web-

server, often in a legitimate way.

Tight Security: Performs tight securitychecks on requests, like checking for prohibited

path traversal attempts.

Trojans: Checksfor usage patterns characteristic of trojans, thussearching for requests

indicating trojan activity. It doesnot, however, prevent the installation of such trojans as

this is covered by the antivirus scanners.

Outbound: Prevents webservers from leaking information to the client. This includes,

among other things, error messages sent by servers which attackers can use to gather

sensitive information or detect specific vulnerabilities.

4. Click Save.

The WAF profile is added to the Firewall Profiles list.

Additional Information on URL Hardening and Form Hardening

It would be best practice to always enable both URL hardening and form hardening becausethose two functions are complementary, especially in the way that they prevent issuesyou may

434 UTM 9 WebAdmin



have when enabling just one of them:

l Onlyform hardening isactivated: When a webpage contains hyperlinks with appended

queries (which is the case with certain CMSs), e.g.http://example.com/?view=article&id=1 , such page requests are blocked by

form hardening because it expects a signature which is missing.

l Only URL hardening is activated: When a web browser appends form data to the action

URL of theform tag of a web form (which is the case with GET requests), the form data

becomes part of the request URL sent to the webserver, by that rendering the URL sig-

nature invalid.

The reason why activating both functions solves those issues is that in case either form harden-

ing or URL hardening find that a request is valid, the WAF accepts the request.

Outlook Web Access

The configuration of the WAF for Outlook Web Access (OWA) is a bit tricky since OWA handles

requests from a publicIP differently than internal requests from an internal LAN IP to the OWA

website. There are redirects attached in the URLs of OWA, where for external access the

external FQDN is used, whereasfor internal requests the internalserver's IP address is used.

The solution is to set the OWA directoryas EntryURL in the WAF profile of your OWA web-

server (e.g. http://webserver/owa/). Additionally, you need to create an exception which

skips URL hardening for the path/owa/* and to disable cookie signing completely for the virtual

webserver.

13.1.4 Exceptions

On the Web Application Firewall > Exceptions tab you can define web requests or source net-

works that are to be exempt from certain checks.




Name: Enter a descriptive name for the exception.

Skip These Ch ecks: Select the securitycheck(s) that should be skipped. See Firewall

Profiles for descriptions.

UTM 9 WebAdmin 435





Skip These Categories: Select the threat filter categoriesthat should be skipped. See

Firewall Profiles for descriptions.

Virtual Webservers: Select the virtual webservers that are to be exempt from the selec-

ted check(s).

For All Requests: Select a request definition from the drop-down list. Note that you can

logically combine two request definitions by either AND or OR.

Networks: Add or select the source networks where the client request comes

from and which are to be exempt from the selected check(s). How to add a defin-

ition is explained on the Definitions & Users > Network Definitions> Network Defin-

itions page.

Paths: Add the paths that are to be exempt from the selected check(s), in the form

of e.g./products/images/*.



Never change HTML during URL Hardening or Form Hardening: If selected, no

data matching the defined exception settings will be modified by the WAF engine. With

this option, e.g., binary data wrongly supplied with a text/html content type by the real

webserver will not be corrupted. On the other hand, web requests may be blocked due to

activated URL hardening, HTML rewriting, or form hardening. Those three features use

an HTML parser and therefore to some extent depend on the modification of webpage

content. To prevent undesired blocking, skip URL hardening and/or form hardening for

requests affected by blocking; you might need to do thisin another/new exception to

reflect dependenciesbetween webservers and/or webpages.

4. Click Save.


5. Enable the exception.

The new exception is disabled by default (toggle switch is gray). Clickthe toggle switch to

enable the exception.

The exception is now enabled (toggle switch is green).


436 UTM 9 WebAdmin



13.1.5 Site Path Routing

On the Web Application Firewall > Site Path Routing tab you can define to which real web-

servers incoming requests are forwarded. You can for example define that all URLswith a spe-

cific path, e.g., /products/, are sent to a specific webserver. On the other hand you can allow

more than one webserver for a specific request but add rules how to distribute the requests

among the servers. You can for example define that each session isbound to one webserver

throughout its lifetime (sticky session). Thismay for example be necessary if you host an online

shop and want to make sure that a user sticksto one server during his shopping session. You

can also configure to send all requests to one webserver and use the others onlyas a backup.

For each virtual webserver, one default site path route (with path/) is created automatically.

The UTM automatically applies the site path routes in the most reasonable way: starting with

the strictest, i.e., longest pathsand ending with the default path route which isonly used if no

other more specific site path route matchesthe incoming request. The order of the site path

route list is not relevant. If no route matches an incoming request, e.g., because the default

route was deleted, the request will be denied.

Note – The Site Path Routing tab can only be accessed after at least one realwebserver and

one virtual webserver have been created.

To create a site path route, proceed as follows:

1. Click the New Site Path Route button.

The Create Site Path Route dialog box opens.


Name: Enter a descriptive name for the site path route.

Virtual Webserver: Select the originaltarget host of the incoming traffic.

Path: Enter the path for which you want to create the site path route, e.g.,/products/.

Reverse Au thentication: Select the authentication profile with the users or groupsthat

should have access to this site path route. When no profile is selected, no authentication

is required.

UTM 9 WebAdmin 437





Caution – Using a reverse authentication profile on a Virtual Webserver running in

plain text mode will expose user credentials. Continuing will cause the Web Application

Firewall to send user credentials in an unsafe manner.

Caution – An authentication profile with frontend mode Form can only be deployed

once on any one Virtual Webserver.

Real Webservers: Select the checkboxes in front of the real webservers which are to be

used for the specified path. The order of the selected webservers is only relevant for the

Enable Hot-Standby Mode option. With the sort iconsyou can change the order.



Enable Sticky Session Cookie: Select thisoption to ensure that each session will be

bound to one realwebserver. If enabled, a cookie is passed to the user's browser, which

provokes the UTM to route all requests from this browser to the same real webserver. If

the server is not available, the cookie will be updated, and the session will switch to

another webserver.

Enable Hot-Standby Mode: Select this option if you want to send all requests to the

first selected realwebserver, and use the other webservers only as a backup. The

backup servers are only used in case the main server fails. As soon as the main server is

back working, the sessions will switch back—unless you selected the Enable Sticky Ses-

sion Cookie option.

4. Click Save.

The site path route is added to the Site Path Routing list.

To either edit or delete a site path route, click the corresponding buttons.

13.1.6 Advanced

On the Web Application Firewall > Advanced tab you can define the keys used for cookie signing

and URL hardening.

Cookie Signing

Here you can enter a custom secret that is used as signing key for cookie signing.

438 UTM 9 WebAdmin



URL Hardening

Here you can enter a custom secret that is used as signing key for URL hardening.

Form Hardening

Here you can enter a custom secret that is used as encryption key for the form hardening token.

The secret must consist of at least eight characters.

13.2 Reverse Authentication

On the Webserver Protection > Reverse Authentication pages, you can define how to use theWeb Application Firewall to authenticate users directly instead of leaving the authentication to

the real webservers. Via authentication profiles, the reverse authentication can be used to

assign specificauthentication settings to each site path route.

An authentication profile is basicallydefined by two authentication modes: the authentication

mode used between the user and the WAF and the authentication mode used between the

WAF and the real webservers. Thus, even if a real webserver does not support authentication,

the WAF can enforce authentication of the users. On the other hand, reverse authentication

ensures that a user only has to authenticate once, even if more than one real webserver isassigned to the respective virtual webserver.

Using forms for user authentication, you can specify company-specific form templates.

13.2.1 Profiles

On the Webserver Protection > Reverse Authentication > Profiles tab, you specify authen-

tication profiles for the web application firewall. With profiles you can assign different authen-

tication settings to different users or user groups. After specifying the authentication profiles,

you can assign them to site path routes on the Web Application Firewall > Site Path Routing tab.

To add an authentication profile, do the following:

1. On the Profiles tab, click New Authentication Profile.

The Create Authentication Profile dialog box opens.


Name: Enter a descriptive name for the profile.

UTM 9 WebAdmin 439

13 Webserver Protection 13.2 Reverse Authentication



13.2 Reverse Authentication 13 Webserver Protection

Frontend Mode: Select how the users should authenticate at the Web Application Fire-

wall.

Basic: Users authenticate with HTTP basic authentication, entering username

and password. Asthe credentials are sent unencrypted with this mode, it should

be used over HTTPS. With this mode, no session cookies will be generated and a

dedicated logout is not possible.

Form: Users will be presented a form where they have to enter their credentials.

With this mode, session cookies willbe generated and a dedicated logout ispos-

sible. The form template to be used can be selected in the Form Template drop-

down list. Besidesthe default form template, the list shows the forms that have

been defined on the Form Templates tab.

Frontend Realm: The realm is a unique string that is used to define the path to the URL

authentication form. It is important to enter a string that is not used as a path on the

related realwebserver, otherwise the realwebserver path would not be accessible by

the users.

Note – These characters are allowed for the Frontend Realm: A-Z a- z 0-9 , ; . : - _ ' + =

) ( & % $ ! ^ < > | @

Form Template: Select the form template that will be presented to the users for authen-

tication. Form templates are defined on the Form Templates page.

Backend Mode: Select how the Web Application Firewall authenticates against the real

webservers. The backend mode hasto match the real webservers' authentication set-

tings.

Basic: Authentication works with HTT P basic authentication, providing username

and password.

None: There is no authentication between the WAF and the realwebservers.

Note that even if your realwebservers do not support authentication, users will be

authenticated via the frontend mode.

Users/Groups: Select the users or user groups or add new users or user groupsthat

should be assigned to this authentication profile. After assigning this profile to a site path

route, these users will have access to the site path with the authentication settings

defined in thisprofile. Typically, this would be a backend user group. How to add a user is

440 UTM 9 WebAdmin



explained on the Definitions & Users > Users & Groups > Users page. How to add a user

group is explained on the Definitions& Users > Users & Groups > Groups page.

Note - Sometimes users should be required to use the User Principal Name notation

'user@domain' when entering their credentials, for example when using Exchange

servers in combination with Active Directory servers. How to use User Principal Name

notation is explained on the Definitions & Users > Authentication Services > Servers >

Active Directory page.


3. Optionally, make the following advanced settings:Enable Session Timeout: Select this option to enable a timeout for the user session

which will confirm user credentials by having them log in again if they do not perform any

action on the Virtual Webserver.

Session Timeout: Set a interval for the session timeout.

Session Timeout Scope: Set the scope today(s), hour(s) or minute(s).

Limit Session Lifetime: Select this option to enable a hard limit for how long users may

remain logged in, regardless of activity in the mean time.

Session Lifetime: Set a interval for the session lifetime value.

Session Lifetime Scope: Set the scope today(s), hour(s) or minute(s).

Cookie Encryption Secret: Set the secret for the Cookie encryption.

Note – The Cookie Encryption Secret is only available when the Frontend Mode is set

to Form in the Authentication Profile.

Strip Basic Authentication: To pass through HTTP Basic Authentication header

Authorize so that double-layered HTTP authentication can be used. Activate the check-

mark to strip the basic authentication.

Note – Strip Basic Authentication isonly available when the Backend Mode is set to

None in the Authentication Profile.

UTM 9 WebAdmin 441





Caution – When using Reverse Authentication in combination with OTP the OTP

tokenswill only be checked once when a user session is set up. Once a session isset up,

any subsequent request by the same user will not have their OTP tokens evaluated.

Thisis because malicious users might exploit the OTP configuration by sending an over-

whelming amount of requests to authentication protected paths, thereby invoking OTP

checks and effectively running a DoS attack on the authentication daemon. Passwords

and all other request aspects will still be checked to match the configuration.

4. Click Save.

The new profile appearson the Profiles list.

To either edit or delete a profile, click the corresponding buttons.

Reverse Authentication: Users/Groups:

Sometimesusersshould be required to use the format 'user@domain' when entering their cre-

dentials, e.g. when using Exchange servers in combination with Active Directoy servers. In this

case there are additional steps you have to take:

1. Click on Definition & User

The Definitions Overview opens.

2. Click on Au thentication Services

The Authentication Services opens.

3. On the Servers tab, click the Clone button on the desired Active Directory

server

A new sever will be created.

4. Change the field Backend to LDAP

5. Change the User Attribute field to >

6. In the Custom field enter 'userPrincipalname'

If not present already, this will set up a LDAP Users group which you will have to use instead of

the Active Directory Users group.

Note – The format 'domain\user' is not supported. Use the format 'user@domain' instead.

442 UTM 9 WebAdmin



13.2.2 Form Templates

On the Webserver Protection > Reverse Authentication > Form Templates tab, you can upload

HTML forms for Reverse Authentication. A form template can be assigned to an authentication

profile with frontend mode Form. The respective form will be presented when a user tries to

access a site path to which the authentication profile is assigned.

To add a form template, do the following:

1. On the Form Templates tab, click New Form Template.

The Create Form Template dialog boxopensup.


Name: Enter a descriptive name for the form template.

Filename: Click the folder icon to select the HTML template.

Images/Stylesheets: Select and upload the images, stylesheets, or Javascript files that

are used by the selected form template.


3. Click Save.The new form template appearson the Form Templates list.

To either edit or delete a form template, click the corresponding buttons.

Using Variables in Login Form Template

l Required:

A<form>element with it's method set to Post and it's action set to<?login_path?>, e.g.

<form action="<?login_path?>" method="POST"> ... </form>

An<input> element inside the above mentioned form with it's name set to httpd_user-

name, e.g.<input name="httpd_username" type="text">

An<input> element inside the above mentioned form with it's name set to httpd_pass-

word, e.g. <input name="httpd_password" type="password">

Note – It is essential that anyform template meets these three conditionsso it can be

parsed correctly (only<?login_path?> will actually be substituted).

UTM 9 WebAdmin 443





l Optional:

All occurrences of <?assets_path?> will be replaced by the path containing all assets

which have been uploaded alongside the form template. This allows for cleaner form tem-plates by placing style sheets, images, etc. outside the actual form template, e.g.<link

rel="stylesheet" type="text/css" href="<?assets_

path?>/stylesheet.css">

All occurrences of <?company_text?> and <?admin_contact?> will be replaced by the

messages defined in Management > Customization, e.g.<p>If you encounter any

problems or questions, please contact <b><?admin_contact?></b>.</p>

All occurrences of <?company_logo?> will be replaced by the path leading to the image

uploaded in Management > Customization, e.g.<img src="<?company_logo?>"

alt="">

As of the 9.2 release, Sophos UTM includes a default form template to ease initial reverse

authentication configuration and deployment. Thisis the form contained in the default form tem-

plate object:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"

"http://www.w3.org/TR/html4/strict.dtd">

<html>

<head>

<link rel="stylesheet" type="text/css"

href="<?assets_path?>/default_stylesheet.css">

<meta http-equiv="content-type" content="text/html;

charset=UTF-8">

<title>Login</title>

</head>

<body>

<div id="container">

<div class="info">

<img src="<?company_logo?>" alt="">

<p><?company_text?></p></div>

<form action="<?login_path?>" method="POST">

<p><label for="httpd_username">Username:</label>

<input name="httpd_username" type="text"></p>

<p><label for="httpd_password">Password:</label>

<input name="httpd_password" type="password"></p>

<p><input type="submit" value="Login"></p></form>

<div class="note">

444 UTM 9 WebAdmin



If you encounter any problems or questions,

please contact

<b><?admin_contact?></b>.</div>

</div>

</body>

</html>

13.3 Certificate ManagementUsing the Webserver Protection > Certificate Management menu, which contains the same con-

figuration options as the Site-to-site VPN > Certificate Management menu, you can manage all

certificate-related operations of Sophos UTM. This includes creating or importing X.509 cer-

tificates as well as uploading so-called Certificate Revocation Lists (CRLs), among other things.

13.3.1 Certificates

See Site-to-site VPN > Certificate Management > Certificates.

13.3.2 Certificate Authority

See Site-to-site VPN > Certificate Management > Certificate Authority .

13.3.3 Revocation Lists (CRLs)

See Site-to-site VPN > Certificate Management > Revocation Lists (CRLs).

13.3.4 Advanced

See Site-to-site VPN > Certificate Management > Advanced .

UTM 9 WebAdmin 445

13 Webserver Protection 13.3 Certificate Management





14 RED ManagementThis chapter describeshow to configure Sophos RED. RED is short for Remote Ethernet

Device and is a means to connect remote branch officesand the like to your main office as if the

branch office is part of your local network.

The setup consists of the Sophos UTM in your main office and a Remote Ethernet Device

(RED) in your remote office. Establishing a connection between the two is utmost easy as the

RED appliance itself does not need to be configured at all. As soon as the RED appliance is con-

nected to your UTM it behaves like anyother Ethernet device on your UTM. All traffic of your

branch office is safely routed via your UTM which means that your branch office is as secure asyour local network.

There are currently two typesof RED appliances available:

l RED 10: RED solution for small remote offices

l RED 50: RED solution for bigger remote offices which comes with two uplink interfaces.


l Overview

l Global Settings

l Client Management

l Deployment Helper

l Tunnel Management

Figure 24 RED: Setup Sketch

Setting up a RED environment involves the following steps:



14.1 Overview 14 RED Management

1. Activation of RED support.

2. Configuration of the RED appliance on your UTM.

3. Connecting the RED appliance to the Internet on the remote site.

Note – The overview page of RED displays general information on the RED architecture as

long as no RED appliance is configured. When a RED appliance hasbeen configured, the

page will display information on the RED status.

14.1 OverviewThe page Overview provides generalinformation on what RED ismeant for, how it works, and

how a typical RED setup looks like.

Cross Reference – For detailed information about RED devices see the Quick Start guides

and Operating Instructions in the Sophos UTM Resource Center . The LED blink codes of the

RED 10 appliances are described in the Sophos Knowledgebase.

Open RED L ive Log

You can use the live log to monitor the connection between your Sophos UTM and the RED

appliance. Click the Open RED Live Log button to open the live log in a new window.

14.2 Global SettingsOn the Global Settings tab you can enable or disable the support for RED which means that

your UTM actsas a RED hub. You need to enable the RED support before any RED appliancescan connect to the UTM.

RED Configurat ion

To enable RED support, do the following:

1. On the Global Settings tab, enable RED support.


The toggle switch turns amber and the RED Hub Configuration area becomes editable.

448 UTM 9 WebAdmin





2. Enter your organization details.

By default the settingsfrom the Management > System Settings > Organizational tab is

used.

3. Click Activate RED.

The toggle switch turns green and RED support is activated. Your UTM is now registered

at the RED Provisioning Service (RPS) of Sophos to act as a RED hub.

You can now continue by adding one or more RED appliances on the Client Man-

agement page, or use the wizard on the Deployment Helper page.


Automat ic Device Deauthorizat ion

When RED support is enabled, you can specify if disconnected RED appliances should auto-

matically be deauthorized after a certain time span. With this feature, you can prevent stolen

RED appliances from connecting to the UTM.

Note –The Automatic Device Deauthor ization doesnot work for RED Tunnel between 2

UTMs.

1. Enable automatic deauthorization.

Select the Enable Automatic Device Deauthorization checkbox.

2. Specify a time span after which the RED appliance should be deautho rized.

Enter the desired value into the Deauthorize After text box. The minimum time span is 5

minutes.

3. Click Apply .

The automatic device deauthorization isnow activated.

When a RED appliance reconnects after being disconnected for a time span longer than thedefined time span, it will automatically be disabled. Thisis indicated by the toggle switches on the

Client Management page. A respective warning will be displayed on the Overview page as well.

To permit a deauthorized RED appliance to connect again, enable that RED appliance on the

Client Management page.

UTM 9 WebAdmin 449

14 RED Management 14.2 Global Settings



14.3 Client Management 14 RED Management

14.3 Client ManagementOn the RED Management > Client Management page you can enable remote UTMs to connect

to your UTM using a Remote Ethernet Device (RED) tunnel. The remote UTMs then simply act

like RED appliances. Furthermore you can configure RED appliances manually(expert mode)

instead of using the deployment helper. The deployment helper is a more convenient way to

configure RED appliances and can be found on the next WebAdmin page.

Each RED appliance or UTM that is configured here is able to establish a connection to your

UTM.

The [Server] tag in front of the page name indicates that this page only needs configuration if

the UTM should act as server (RED hub).

Note – For RED appliances to be able to connect, you need to enable RED support on the

Global Settings page first.

Setting Up a RED Tunnel Between Two UTMsTo enable another UTM to connect to your local UTM using a RED tunnel, do the following:

1. On the Client Management tab, click Add RED.

The Add RED dialog box opens.


Branch Name: Enter a name for the branch where the client UTM is located, e.g. "Office

Munich".

Client Type: Select UTM from the drop-down list.

Tunnel ID: By default, Automatic is selected. Tunnels will be numbered consecutively.

You need to make sure that the tunnel ID is unique for both UTMs. In this case you might

need to select another ID from the drop-down list.

3. Click Save.

The UTM object is being created.

4. Download the provisioning file.

450 UTM 9 WebAdmin



To provide the remote (client) UTM with the configuration data download the pro-

visioning file using the Download button and transfer the file to the remote UTM in a

secure way.

Configuring a RED Appliance

To enable a RED appliance to connect to your local UTM, do the following:

1. On the Client Management tab, click Add RED.

The Add RED dialog box opens.


Branch Name: Enter a name for the branch where the RED appliance is located, e.g.

"Office Munich".

Client Type: Select RED 10 or RED 50 from the drop-down list, depending on the type

of RED appliance you want to connect.

Note – The RED 50 appliance has an LCD display. It can be used to show you import-

ant information about the device. With the Left button you can enter the menu. Nav-

igate with the Up and Down button and enter with the Right button. Please see the

Operating Instructions for further information.

RED ID: Enter the ID of the RED appliance you are configuring. This ID can be found on

the back of the RED appliance and on its packaging.

Tunnel ID: By default, Automatic isselected. Tunnels will be numbered consecutively. In

case you have conflicting IDs, select another ID from the drop-down list.

Unlock Code (optional): For the first deployment of a RED appliance, leave this box

empty. In case the RED appliance you are configuring hasbeen deployed before, you

need to provide its unlock code. The unlock code is generated during the deployment of a

RED appliance, and isemailed instantly to the address provided on the Global Settings

tab. This is a security feature, which ensures that a RED appliance cannot simply be

removed and installed elsewhere.

Note – For manual deployment via USB stick and automatic deployment via RED Pro-

visioning Service (see below), two separate unlock codes are generated. If you switch a

UTM 9 WebAdmin 451

14 RED Management 14.3 Client Management

http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sophosRED10_50oien.pdf

http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sophosRED10_50oien.pdf




RED device from one deployment method to the other, make sure to use the cor-

responding unlock code: For manual deployment, provide the unlock code of the last

manual deployment; for automatic deployment, provide the unlock code of the last auto-

matic deployment.

If you are not in the possession of the unlock code, the only way to unlock the RED appli-

ance isto contact the Sophos Support. The Support however can only help you if you

deployed the configuration automatically, via the Sophos RED Provisioning Service.

Tip – The unlock code can also be found in the backup file of the UTM the RED was

connected to in case that the backup contains host-specificdata.

UTM Hostname: You need to enter a public IP address or hostname where the UTM is

accessible.

2nd UTM Hostname: For RED 50 appliances, you can enter another public IP address

or hostname of the same UTM. Note that you cannot enter the IP or hostname of a dif-

ferent UTM.

Use 2nd hostname for (only with RED 50, see images below): You can configure whatthe second hostname should be used for.

l Failover: Select to only use the second hostname in case the first hostname fails.

l Balancing: Select to activate active load balancing between both hostnames.

This makes sense if both uplinks the first and the second hostname correlate to,

are equal in latency and throughput.

Uplink mode/2nd Uplink mode: You can define how the RED appliance receives an

IP address, which can be either via DHCP or by directly assigning a static IP address. For RED 50 appliances you define the uplink mode for each RED uplink Ethernet port sep-

arately.

l DHCP Client: The RED pulls an IP address from a DHCP server.

l Static Add ress:Enter an IPv4 address, a corresponding netmask, a default gate-

way and a DNS server.

452 UTM 9 WebAdmin



Note – There is no one-to-one association between UTM hostname and RED uplink

Ethernet port. Each RED port will try to connect to each defined UTM hostname.

Use 2nd uplink for (only with RED 50, see images below): You can configure what the

second uplink should be used for.

l Failover: Select to only use the second uplink in case the first uplink fails.

l Balancing: Select to activate active load balancing between both uplinks. This

makes sense if both uplinks on the RED 50 appliance are equal in latency and

throughput.

Operation mode: You can define how the remote network willbe integrated into your

local network.

l Standard/Unified: The UTM completely controls the network traffic of the

remote network. Additionally, it servesas DHCP server and as default gateway. All

remote network traffic will be routed through the UTM.

l Standard/Split: The UTM completely controls the network traffic of the remote

network. Additionally, it serves as DHCP server and as default gateway. In con-

trast to the Unified mode, only certain traffic will be routed through the UTM.

Define local networks in the Split Networks box below which can be accessed by

remote clients.

Note – VLAN tagged frames cannot be handled with this operation mode. If you

use a VLAN behind your RED appliance, use the Standard operation mode

instead.

l Transparent/Split: The UTM doesnot control the networktraffic of the remote

network, it does neither serve as DHCP server nor as default gateway. On the con-

trary, it pulls an IP address from the DHCP server of the remote network to

become a part of that network. However, you can enable access for remote clients

to your local network. For that you need to define Split Networks that are allowed

to be accessed by the remote network. Additionally, you can define one or more

Split Domains to be accessible. If your local domains are not publiclyresolvable,

you need to define a Split DNS Server , which can be queried by remote clients.

UTM 9 WebAdmin 453





Note – VLAN tagged frames cannot be handled with this operation mode. If you

use a VLAN behind your RED appliance, use the Standard operation mode

instead.

You can find examples for all the operation modes on the Deployment Helper tab.

3. For RED 50, optionally make the following switch port configuration settings:

LAN port mode: RED 50 offers four LAN ports that can be configured either as simple

switches or for intelligent VLAN usage. When set to Switch, all traffic will basically be sent

to all ports. When set to VLAN , traffic can be filtered according to the Ethernet frames'

VLAN tag, thus allowing to tunnelmore than one network into the RED tunnel.

LAN modes: When using the VLAN switch port configuration, you can configure each

LAN port separately. For each LAN port, the following options are available:

Untagged: Ethernet frames with the VLAN IDs specified in the LAN VID(s) field

below will be sent to this port. The frames are sent without tags, thus the end

devices do not have to support VLAN. This port allows just one VLAN ID.

Figure 25 LAN mode: Untagged

Untagged, drop tagged: Ethernet frames with the VLAN IDs specified in the

LAN VID(s) field below will not be sent to this port. The frames are sent without

tags, thus the end devices do not have to support VLAN.

454 UTM 9 WebAdmin



Figure 26 LAN mode: Untagged, drop tagged

Tagged: Ethernet frames with the VLAN IDs specified in the LAN VID(s) field

below will be sent to this port. The frames are sent with tags, and the end devices

have to support VLAN. Frames without VLAN IDs will not be sent to this port. This

port allows up to 64 different VLAN ID(s) separated by comma.

Figure 27 LAN mode: Tagged

Disabled: This Port isclosed. No frames with or without VLAN IDs specified in the

LAN VID(s) will be sent to this port.

Figure 28 LAN mode: Disabled

Note – The LAN modes have different names in the Cisco/HP documentation.

Untagged also known as 'Hybrid Port', Untagged, drop tagged also known as 'Access

Port' and Tagged also known as 'Trunk Port'.

UTM 9 WebAdmin 455






MAC filtering type: To restrict the MAC addresses allowed to connect to this RED appli-

ance, select Blacklist or Whitelist . With Blacklist , all MAC addresses are allowed except

those listed on the MAC address list selected below. With Whitelist , all MAC addresses

are prohibited except those listed on the MAC address list selected below.

MAC addresses: The list of MAC addresses used to restrict access to the RED

appliance. MAC address lists can be created on the Definitions& Users > Network

Definitions > MAC AddressDefinitions tab. Note that for RED 10, a maximum of

200 MAC addresses is allowed, whereas for RED 50, the list maycontain up to

400 MAC addresses.

Note – MAC filtering onlyworks for RED rev. 2 or newer.

Device deployment: Select how you want to provide the necessary configuration set-

tingsfor the RED. By default, the UTM provides the RED'sconfiguration data auto-

matically via Sophos' RED Provisioning Service. In this case, the RED appliance receives

its configuration via Internet. If for example your RED does not have an Internet con-

nection, you can provide the configuration manually, via USB stick. If you deploy a RED

device manually, you have to ensure that UTM is acting as NTP server. Therefore activ-

ate NTP on the UTMand allow the correct network or at least the IP address of the RED.

Note – After you deployed a RED manually you need to deploy it once using the RED

Provisioning Service (automatically) before you can deploy it manually again. Manual

device deployment only worksfor RED appliances with firmware version 9.1 or newer.

Caution – If you select manualdeployment, it isextremely important to keep the unlock

code, which is sent by email. If you lose the unlock code, you can never again connect

the RED appliance to another UTM.

Data compression: Enabling data compression will compress all traffic that issent

through the RED tunnel. Data compression might increase the throughput of the RED

appliance in areas with a very slow Internet connection such as 1-2 Mbps. However, any

performance increase mainly depends on the entropy of the data being sent (for

example, already compressed data such as HTTPS or SSH cannot be compressed any

further). In some circumstances it might therefore be possible that enabling data

456 UTM 9 WebAdmin



compression could actually reduce the throughput of the RED appliance. In that case,

please disable data compression.

Note – Data compression isnot available for RED 10 rev.1.

3G/UMTS failover: Starting with RED rev. 2, the RED appliance offers a USB port,

where you can plug in a 3G/UMTS USB stick. If selected, this stick can serve as Internet

uplink failover in case of a WAN interface failure. For the necessary settings please refer

to your Internet provider's data sheet.

l Username/Password (optional): If required, enter a username and password for

the mobile network.

l PIN (optional): Enter the PIN of the SIM card if a PIN isconfigured.

Note – If you enter a wrong PIN, in case of a WAN interface failure, the con-

nection via 3G/UMTS cannot be established. Instead, the 3G/UMTS failover

checkbox of the RED appliance will automatically be unselected. Thus, the

wrong PIN will only be used once. When the WAN interface comes up again, a

warning will be displayed for the RED appliance: A wrong PIN was entered for

3G/UMTS failover uplink. Please change the login data. When you open the Edit

RED dialog box, a message is displayed which tells you that the 3G/UMTS fail-

over was automatically unselected. Correct the PIN before selecting the check-

box again. Please note that after three connection attempts with a wrong PIN,

the SIM card will be locked. Unlocking cannot be done via the RED appliance or

the UTM. The signal strength for the most supported 3G/UMTS USB Sticks isdis-

played in the Live Log and the RED 50 LCD display.

l Mobile network: Select the mobile network type, which iseither GSM or CDMA.

l APN: Enter your provider's Access Point Name information.

l Dial string (optional): If your provider uses a different dial string, enter it here.

Default is *99#.

Note – You always have to make the following configurations manually: 1) Creating the

necessary firewall rules (Network Protection > Firewall > Rules). 2) Creating the neces-

sary masquerading rules (Network Protection > NAT > Masquerading ).

UTM 9 WebAdmin 457





5. Click Save.

The RED appliance is being created and appearson the RED list.

With automatic device deployment, as soon as the RED hasbooted, it will fetch its configurationat the Sophos RED Provisioning Service (RPS). After that the connection between your UTM

and the RED appliance is going to be established.

With manualdevice deployment, the new entry in the RED list will have a Download button.

Download the configuration file and save it to the root directoryof a USB stick. Then plug the

USB stick into the RED appliance before turning it on. The RED will fetch its configuration from

the USB stick. After that the connection between your UTM and the RED appliance is going to

be established.

Caution – It is crucial that you keep the unlock code, which isemailed instantly to the address

provided on the Global Settings tab as soon as the RED appliance receives its configuration.

(In case of switching between manualand automatic deployment, make sure to keep both

unlock codes.) You need the unlock code when you want to use the RED appliance with

another UTM. If you then do not have the unlock code ready, the only way to unlock the RED

appliance is to contact the Sophos Support. The Support however can only help you if you

deployed the configuration automatically, via the Sophos RED Provisioning Service.

To edit a RED appliance, clickthe corresponding button. You can see the appliance status of all

configured RED appliances on the RED overview page of WebAdmin.

The following imagesgive an overview of the four balancing/failover combinations RED 50

provides. Solid lines reflect balancing, dotted lines failover behavior:

Figure 29 RED 50: Hostname and Uplink Balancing (turquoise) and Hostname and UplinkFailover (red)

458 UTM 9 WebAdmin



Figure 30 RED 50: Hostname Balancing and Uplink Failover (green) and Hostname Failover and Uplink Balancing (blue)

General information about RED 50 balancing

The balancing algorithm selects an outgoing link based on source and destination IP address. It

does not balance on a per packet basis. The reason is that TCP performance suffers severely

when packetsare reordered due to different paths in a single TCP connection.

This means that anytransmission with the same source and destination IP address willalways

take the same interface combination. For example, outgoing packetson WAN 1 to uplink 1 on

UTM, incoming packets from uplink 2 on UTM to WAN 1). When a client behind a RED 50 down-

loads a large file, all incoming packets will be transmitted via one interface only. When a client

downloadssimultaneous two files from two different servers the incoming packets will be trans-

mitted via either one interface or both interfaces depending on the IP addresses.

Here are the balancing setups:

RED 50 with balancing, UTM with one uplink

l Enter onlyUTM hostname

l Configure first and second uplink for balancing

Note – Do not enter 2nd UTM Hostname. Also do not enter the same IP or nametwice.

RED 50 with balancing, UTM with two uplinks in balancing mode

l Enter two different hostnames and IP addresses for the UTM

l Configure first and second uplink for balancing

l Make sure UTM uplink balancing is enabled for the two hostnames and IP addresses in

Interfaces -> Uplink balancing

RED 50 with one uplink, UTM with two uplinks in balancing mode

UTM 9 WebAdmin 459




14.4 Deployment Helper 14 RED Management

l Enter two different hostnames and IP addresses for the UTM

l Make sure UTM uplink balancing is enabled for the two hostnames and IP addresses in

Interfaces -> Uplink balancing

Note – If the uplink balancing is not enabled it will lead to the dmesg error messages 'IPv4:

martian source...' on UTM.

Deleting a RED Appliance

To delete a RED appliance, click the Delete button next to the appliance name.

There will be a warning that the RED object has dependencies. Be aware that deleting a RED

appliance will not delete associated interfaces and their dependencies. This is intentional, since

it enables you to move an interface from one RED appliance to another.

If you want to remove a RED appliance setup completely, you need to delete potential interface

and other definitions manually.

14.4 Deployment HelperThe RED Management > Deployment Helper tab provides a wizard that facilitatessetting up

and integrating a RED environment. The wizard is meant to be a simple alternative to the nor-

mal configuration on the Client Management tab. You only need to fill in the requested fields, if

needed also fields marked optional , and to click Deploy RED.

The [Server] tag in front of the page name indicates that this page only needs configuration if

the UTM should act as server (RED hub).

Note – For your convenience, with Standard and Standard/Split mode, in contrast to the Cli-

ent Management tab, the deployment helper automatically creates the following objects: a

local interface with the specified IP address; a DHCP server for the remote network, covering

half of the available IP address range; access to the local DNS resolver. In Transparent/Split

mode, the deployment helper only creates a DHCP client (Ethernet DHCP ) interface.

The deployment helper provides short descriptions for every option and a sketch for each of the

three operation modes offered by the RED technology.

Below you find a description and use case examples for the three operation modes of RED.

460 UTM 9 WebAdmin



Standard/Unified

The UTM manages the whole remote network. It acts as DHCP server and as default gateway.

Example: You have a branch office and, for security reasons, you want all its traffic to be routed

via your headquarter UTM. That way the remote site becomes a part of your local network as if

it were connected via LAN.

Standard/Split

Note – VLAN tagged frames cannot be handled with thisoperation mode. If you use a VLAN

behind your RED appliance, use the Standard operation mode instead.

As with the Standard mode, the UTM manages the whole remote network. It actsas DHCP

server and as default gateway. The difference isthat only traffic targeted to networks listed in

the Split Networks boxis redirected to your local UTM. All traffic not targeted to the defined split

networks is directly routed to the Internet.

Example: You have a branch office and you want it to have access to your local intranet or you

want to route traffic of the remote network via your UTM for security reasons, e.g. to have the

traffic checked for viruses or to use an HTTP proxy.

Transparent/Split

Note – VLAN tagged frames cannot be handled with thisoperation mode. If you use a VLAN

behind your RED appliance, use the Standard operation mode instead.

The remote networkstays independent, the UTM is a part of this networkby getting an IP

address from the remote DHCP server. Onlycertain traffic of the remote network is allowed to

access certain networks or local domains of yours. Since the UTM has no control of the remote

network, local domains, which are not publiclyresolvable, cannot be resolved by the remote

router unless you define a Split DNS Server . This is a local DNS server of yours which can then

be queried by remote clients.

Technically, the local interface of the RED appliance and its uplink interface to your local UTM as

well as its link to the remote router are bridged. (For RED 50 appliances, LAN ports are bridged

UTM 9 WebAdmin 461

14 RED Management 14.4 Deployment Helper



14.5 Tunnel Management 14 RED Management

only to WAN 1.) Since the UTM is only a client of the remote network, routing traffic to the split

networks the same way as with the other modes is not possible. Therefore, the RED appliance

intercepts all traffic: Traffictargeting to a network listed in the Split Networks box or going to a

domain listed in the Split Domains box is redirected to the UTM interface. This is accomplished

by replacing the default gateway's MAC address in the respective data packetswith the UTM's

MAC address.

Example: There isa partner or a service provider who should have access to your intranet or a

certain server in your local network. Using a RED appliance, that partner's network will stay com-

pletely independent of your network, but they can access a defined part of your network for cer-

tain purposes, as if they were connected via LAN.

Note – Using the deployment helper, the uplink mode of the RED appliance is DHCP Client in

either operation mode. If you need to assign it a static IP address instead, you need to con-

figure the RED appliance on the Client Management tab.

14.5 Tunnel ManagementOn the RED Management > Tunnel Management page you can configure your UTM to act as a

RED appliance to be able to establish a RED tunnel to another UTM. The remote host UTM will

then serve as RED hub for your UTM.

The [Client] tag in front of the page name indicates that thispage only needs configuration if the

UTM should act as RED client.

To connect your UTM to the host UTM you need a provisioning file. This file needs to be gen-

erated on the host UTM (see Client Management ).

To connect your UTM to the host UTM, proceed as follows:

1. On the host UTM, add your local UTM to the Client Management list.

2. On the h ost UTM, download the provisioning file for your UTM.

3. On your local UTM, click Add Tunnel .

The Add Tunnel dialog box opens.


Tunn el Name: Enter a descriptive name for thistunnel.

UTM Host: Select the remote UTM host.

462 UTM 9 WebAdmin



Prov. File: Click the Folder icon, select the provisioning file you want to upload, and click

Start Upload .


5. Click Save.

The RED tunnelwill be established and displayed on the Tunnel Management list.

UTM 9 WebAdmin 463

14 RED Management 14.5 TunnelManagement





15 Site-to-site VPNThischapter describes how to configure site-to-site VPN settings of Sophos UTM. Site-to-site

VPNs in Sophos UTM are realized by means of Virtual Private Networks (VPNs), which are a

cost effective and secure way for remote networks to communicate confidentially with each

other over a public network such as the Internet. They use the cryptographic tunneling protocol

IPsec to provide confidentiality and privacy of the data transmitted over them.

Cross Reference – More information on how to configure site-to-site VPN connections can

be found in the SophosKnowledgebase.


l Amazon VPC

l IPsec

l SSL


The Site-to-site VPN overview page in WebAdmin shows all configured Amazon VPC, IPsec,

and SSL connections and their current status. The state of each connection isreported by the

color of its status icons. There are two types of status icons. The larger ones next to the con-

nection name inform about the overall status of a connection. The different colors mean:

l Green – All S As (Security Association) have been established. Connection is fullyfunc-

tional.

l Yellow – Not all SAs have been established. Connection is partly functional.

l Red – No SAs have been established. Connection is not functional.

The smaller ones next to the tunnel information report the status for that tunnel. Here the colors

mean:

l Green – All SAs have been established. Tunnel isfully functional.

l Yellow – IPsec SA hasbeen established, ISAKMP SA (Internet Security Association and

KeyManagement Protocol ) is down. Tunnel isfully functional.

l Red – No SAs have been established. Connection is not functional.

http://www.sophos.com/en-us/support/knowledgebase/b/2450/3100/5250.aspx




15.1 Amazon VPC 15 Site-to-site VPN

15.1 Amazon VPC Amazon Virtual Private Cloud (VPC) is a commercial cloud computing service. A user can cre-

ate virtual private clouds, which can subsequently be connected to a local network and centrally

managed over IPsec tunnels.

You can connect your Amazon VPC to your Sophos UTM if the UTM hasa static public

IP address. The entire configuration of the VPN connections has to be done in the Amazon

environment. Afterwards you just import the connection data using your Amazon access data or

a configuration file.

15.1.1 Status

The Site-to-site VPN > Amazon VPC > Status page shows a list of all connectionsto your

Amazon VPCs.

Here you can enable and disable the connections.

To enable connections to Amazon VPC, proceed as follows:

1. On the Setup page, import at least one VPC connection.

2. On the Status page, enable Amazon VPC.


The toggle switch turns green and the imported VPC connectionsare displayed.

3. Enable the desired connection.

Click the toggle switch of the connection you want to enable.

The toggle switch turns green and the two tunnels of the VPC connection are displayed.

Note – Each connection consists of two tunnels for redundancy reasons: an active and

a backup tunnel. Active tunnels can be identified by having a netmask at the end of their

BGP line. The statusicons of the tunnels are displayed for control purposes only—you

cannot enable or disable a single tunnel.

To disable all Amazon VPC connections click the topmost toggle switch. To disable a single con-

nection click the toggle switch of the respective connection.

466 UTM 9 WebAdmin



To close a connection and delete it from the list, clickthe red Delete icon of the respective con-

nection.

Note – As the connections are configured on Amazon VPC's side, you can re-import a

deleted connection into Sophos UTM with the same data as before.

More information about Amazon VPC can be found in the Amazon User Guide.

15.1.2 Setup

On the Site-to-site VPN > Amazon VPC > Setup page you add connections to your Amazon Vir-

tualPrivate Cloud (VPC). You can either import all connections configured with one Amazon

Web Service (AWS) account and using the IP address of your Sophos UTM as Customer

Gateway (Amazon term for your endpoint of a VPC VPN connection). Or you add connections

one by one using the configuration file which you can download from Amazon.

Import V ia Amazon Credent ia ls

You can import all connections configured with one AWS account and using the IP address of

your Sophos UTM as Customer Gateway, at once. Just enter the AWS credentials you have

been given when you created your Amazon Web Service account.

Note – Allexisting connections listed in the Status tab will be deleted during the import.

To import connections, proceed as follows:


Access Key: Enter the Amazon Access KeyID. It isa 20-character, alphanumeric

sequence.

Secret Key: Enter the Secret Access Key. It is a 40-character sequence.

2. Click Apply .

The connections are imported and subsequently displayed on the Status page.

Import V ia Amazon Configurat ion

To add a single connection to the existing list of connectionsyou have to upload the con-

figuration file of the respective connection.

To import a single connection, proceed as follows:

UTM 9 WebAdmin 467

15 Site-to-site VPN 15.1 Amazon VPC

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html



15.2 IPsec 15 Site-to-site VPN

1. Download the configuration file of your Amazon VPC connection.

In Amazon's download dialog make sure to select Sophos from the Vendor drop-down

list.


Click the Folder icon next to the VPC Config File box.

3. Select the configuration file and upload it.

To upload the selected file click the button Start Upload .

The filename is displayed in the VPC Config File box.

4. If you use static routing, enter the remote network.

The remote network is not part of the configuration file. Therefore you need to enter itseparatelyinto the Remote network field, e.g. 10.0.0.0/8. This field is only important if you

have configured the use of static routing instead of dynamic routing in Amazon VPC.

5. Click Apply .

The connection isimported and subsequently displayed on the Status page.

Route Propagation

You can configure networks which are being pushed in route propagation enabled routing

tables in the Amazon VPC.

To select local networks, proceed as follows:

1. Add local networks.

Add or select a local network that should be pushed in route propagation. How to add a


itions page.

2. Click Apply .

The route propagation networks are applied.

15.2 IPsecIP Security (IPsec) is a standard for securing Internet Protocol (IP) communications by encrypt-

ing and/or authenticating all IP packets.

The IPsec standard definestwo service modes and two protocols:

468 UTM 9 WebAdmin



l Transport mode

l Tunnelmode

l Authentication Header (AH) authentication protocol

l Encapsulated Security Payload (ESP) encryption (and authentication) protocol

IPsec also offers methods for manual and automatic management of Security Associations

(SAs) as well as key distribution. These characteristics are consolidated in a Domain of Inter-

pretation (DOI).

IPsec Modes

IPsec can work in either transport mode or tunnel mode. In principle, a host-to-host connection

can use either mode. If, however, one of the endpointsis a security gateway, the tunnelmode

must be used. The IPsec VPN connectionson this UTM always use the tunnelmode.

In transport mode, the originalIP packet is not encapsulated in another packet. The originalIP

header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted

(ESP). Either the complete packet can be authenticated with AH, or the payload can be encryp-

ted and authenticated using ESP. In both cases, the original header is sent over the WAN in

clear text.

In tunnel mode, the complete packet—header and payload—is encapsulated in a new IP

packet. An IP header is added to the IP packet, with the destination address set to the receiving

tunnelendpoint. The IP addresses of the encapsulated packets remain unchanged. The ori-

ginal packet isthen authenticated with AH or encrypted and authenticated using ESP.

IPsec Protocols

IPsec uses two protocols to communicate securely on the IP level.

l Authent ication Header (AH): A protocol for the authentication of packet senders and

for ensuring the integrity of packet data.

l Encapsulating Security Payload (ESP): A protocol for encrypting the entire packet

and for the authentication of its contents.

The Authentication Header protocol (AH) checksthe authenticity and integrity of packet data. In

addition, it checks that the sender and receiver IP addresses have not been changed in trans-

mission. Packets are authenticated using a checksum created using a Hash-based Message

UTM 9 WebAdmin 469

15 Site-to-site VPN 15.2 IPsec




Authentication Code (HMAC) in connection with a key. One of the following hashing algorithms

will be used:

l

Message Digest Version 5 (MD5):Thisalgorithm generates a 128-bit checksum froma message of anysize. This checksum is like a fingerprint of the message, and will change

if the message is altered. This hash value is sometimes also called a digitalsignature or a

message digest.

l The Secure Hash (SHA-1): This algorithm generates a hash similar to that of MD5,

though the SHA-1 hash is 160 bitslong. SHA-1 is more secure than MD5, due to its

longer key.

Compared to MD5, an SHA-1 hash is somewhat harder to compute, and requires more CPU

time to generate. The computation speed depends, of course, on the processor speed and thenumber of IPsec VPN connections in use at the Sophos UTM.

In addition to encryption, the Encapsulated Security Payload protocol (ESP) offers the ability to

authenticate senders and verify packet contents. If ESP is used in tunnelmode, the complete IP

packet (header and payload) isencrypted. New, unencrypted IP and ESP headers are added

to the encapsulating packet: The new IP header contains the address of the receiving gateway

and the address of the sending gateway. These IP addresses are those of the VPN tunnel.

For ESP with encryption normallythe following algorithms are used:

l Triple Data Encryption Standard (3DES)

l Advanced Encryption Standard (AES)

Of these, AES offers the highest standard of security. The effective key lengthsthat can be used

with AES are 128, 192 and 256 bits. Sophos UTM supports a number of encryption algorithms.

Either the MD5 or SHA-1 algorithms can be used for authentication.

NAT Traversal (NAT-T)NAT traversal is a technology for establishing connections between hosts in TCP/IP networks

which use NAT devices. This isachieved by using UDP encapsulation of the ESP packets to

establish IPsec tunnels through NAT devices. UDP encapsulation is only used if NAT is detected

between the IPsec peers; otherwise normal ESP packets will be used.

With NAT traversal you are able to place the gateway or a road warrior behind a NAT router

and still establish an IPsec tunnel. Both IPsec peers must support NAT traversal if you want to

use this feature, which isautomatically negotiated. Make sure that the NAT device has IPsec-passthrough turned off, because this could impair the use of NAT traversal.

470 UTM 9 WebAdmin



If road warriors want to use NAT traversal, their corresponding user object in WebAdmin must

have a static remote access IP address (RAS address) set (see also Use Static Remote Access

IP on the Users page in WebAdmin).

By default, a NAT traversal keep-alive signal is sent at intervals of 60 seconds to prevent an

established tunnel from expiring when no data is transmitted. The keep-alive messages are

sent to ensure that the NAT router keeps the state information associated with the session so

that the tunnelstaysopen.

TOS

Type of Service bits (TOS bits) are severalfour-bit flagsin the IP header. These bits are

ref erred t o a s Type of Service bits because they allow the transferring application to tell the net-

work which type of service quality is necessary.

With the IPsec implementation of Sophos UTM the TOS value is always copied.

15.2.1 Connections

On the Site-to-site VPN > IPsec > Connections tab you can create and edit IPsec connections.

To create an IPsec connection, proceed as follows:

1. On the Co nnections tab, click New IPsec Connection.

The Add IPsec Connection dialog box opens.


Name: Enter a descriptive name for thisconnection.

Remote gateway: Select a remote gateway definition. Remote gatewaysare con-

figured on the Site-to-site VPN > IPsec > Remote Gateways tab.

Local interface: Select the name of the interface which is used as the local endpoint of

the IPsec tunnel.

Policy: Select the IPsec policy for this IPsec connection. IPsec policies can be defined on

the Site-to-site VPN > IPsec > Policies tab.

Local networks: Select or add the local networks that should be reachable through the

VPN tunnel. How to add a definition is explained on the Definitions & Users > Network


UTM 9 WebAdmin 471





Automatic firewall rules: By selecting this option you can automatically add firewall

rules that allow traffic for this connection. The rules are added as soon as the connection

is enabled, and they are removed when the connection is disabled. If you want to use astricter IPsec connection, disable Automatic firewall rules and use IPsec objects in the fire-

wall rule set instead.

Strict routing : If strict routing isenabled, VPN routing is done according to source and

destination IP address (instead of only destination IP address). In this case, only those

packetsexactly matching the VPN tunnel definition are routed into the VPN tunnel. As a

consequence, you cannot use SNAT to add networks or hosts to the VPN tunnel, that are

originally not part of the tunneldefinition. On the other hand, without strict routing, you

cannot have a mixed unencrypted/encrypted setup to the same network from differentsource addresses.

Bind tunnel to local interface: By default, the option is unselected and all traffic ori-

ginating from the selected local networks and going to the defined remote networks will

always be sent through this IPsec tunnel. It is not possible to have multiple identical tun-

nels on different interfaces because the selector would always be the same. However, if

enabled, the defined IPsec selector will be bound to the selected local interface. Thus it is

possible to either bypass IPsec policies with static routesor define redundant IPsec tun-

nels over different uplinks and use multipath rules to balance trafficover the available

interfaces and their IPsec tunnels. Use cases for this setting are for example:

l Bypass IPsec policies for local hosts which belong to the remote network through

static routes.

l Balance traffic based on layer 3 and layer 4 with multipath rules over multiple IPsec

tunnels or MPLS links with automatic failover.

Note – This option cannot be used in combination with an interface group.


3. Click Save.

The new connection appears on the IPsec Connections list.

To either edit or delete a connection, click the corresponding buttons.

Open Live Log: The IPsec VPN live log displays monitoring information about established

IPsec connection. Clickthe button to open the live log in a new window.

472 UTM 9 WebAdmin



15.2.2 Remote Gateways

On the Site-to-site VPN > IPsec > Remote Gateways tab you can define the remote gateways

for your site-to-site VPN tunnels. These remote network definitions will become available when

creating IPsec connections on the IPsec > Connections tab.

To add a remote gateway, proceed as follows:

1. On the Remote Gateways tab, click New Remote Gateway .

The Add Remote Gateway dialog box opens.


Name: Enter a descriptive name for this remote gateway.

Gateway type: Select the type of the gateway. The following typesare available:

l Initiate connection: Select if the remote endpoint hasa static IP address so that

a connection to the remote gateway can be initiated by the gateway. If selected,

specify the remote gateway in the Gateway box. Note that you can also select this

option if the remote gateway is resolved through DynDNS.

l Respond only: Select if the IP address of the remote endpoint is unknown or can-

not be resolved through DynDNS. The gateway is not able to initiate a connectionto the remote gateway but waits for incoming connectionsto which it only needs to

respond.

Authentication type: Select the authentication type for this remote gateway definition.


l Preshared key: Authentication with Preshared Keys (PSK) usessecret pass-

words as keys. These passwords must be distributed to the endpoints before

establishing the connection. When a new VPN tunnel isestablished, each side

checks that the other knows the secret password. The security of PSKs depends

on the quality of the passwords used: common words and phrases are subject to

dictionary attacks. Permanent or long-term IPsec connections should use cer-

tificates instead.

l RSA key: Authentication using RSA keysis much more sophisticated. In this

scheme, each side of the connection generates a key pair consisting of a public key

and a private key. The private key is necessary for the encryption and authen-

tication during the key exchange. Both endpoints of an IPsecVPN connection using

this authentication method need their own key pair. Copy the publicRSA key of the

UTM 9 WebAdmin 473





remote unit (Site-to-site VPN > IPsec > Local RSA Key ) into the Public Key boxof

the local unit and vice versa. In addition, enter the VPN ID typesand VPN iden-

tifiers that correspond to the respective RSA keys.

l Local X.509 certificate: Similarly, the X.509 certificate authentication scheme

uses publickeys and private keys. An X.509 certificate contains the publickey

together with information identifying the owner of the key. Such certificatesare

signed and issued by a trusted Certificate Authority (CA). During the key exchange

process, the certificatesare exchanged and authenticated using a locally stored

CA certificate. Select this authentication type if the X.509 certificate of the remote

gateway is locally stored on the unit.

l

Remote X.509 certificate: Select this authentication type if the X.509 certificateof the remote gateway is not locally stored on the unit. You must then select the

VPN ID type and VPN identifier of the certificate being used on the remote unit,

that is, the certificate which is selected in the LocalX.509 Certificate area of the

Site-to-site VPN > IPsec > Advanced tab.

VPN ID type: Depending on the authentication type you must select a VPN ID type and

VPN identifier. The VPN identifier entered here must match the values configured on the

remote site. Suppose you are using two UTM appliances for establishing a site-to-site

VPN tunnel. If you select RSA Key as authentication type on the local unit, the VPN ID

type and the VPN identifier must match what is configured on the Site-to-site VPN >

IPsec > Local RSA Key tab on the remote unit. You can select among the following VPN

ID types:

l IP address

l Hostname

l Email address

l Distinguished name: Only available with Remote X.509 Certificate authen-tication.

l Any: Default with Respond Only gateway type.

Remote networks: Select the remote networks that should be reachable via the remote

gateway.


474 UTM 9 WebAdmin



3. Make advanced settings if necessary.

The following advanced settingsshould only be made when you know what their impact

is:

Support path MTU discovery: PMTU (Path Maximum Transmission Unit) refers to

the size of data packetstransmitted. It is usually preferable that IP data packets be of the

largest size that does not require fragmentation anywhere along the path from the

source to the destination. If any of the data packets are too large to be forwarded without

fragmentation by some router along the path, that router willdiscard them and return

ICMP Destination Unreachable messages with a code meaning "fragmentation needed

and DF set". Upon receipt of such a message, the source host reduces its assumed

PMTU for the path.If you enable this option, UTM enables PMTU if it is enabled on the server side.

Support congestion signaling (ECN): ECN (Explicit Congestion Notification) is an

extension to the Internet Protocol and allows end-to-end notifications of network con-

gestion without dropping packets. Select this option if you want to copy ECN information

from the originalIP packet header into the IPsec packet header. Note that the remote

endpoint must support it as well as the underlying network and involved routers.

Enable XAUTH client mode: XAUTH is an extension of IPsec IKE to authenticate

users via username and password at a VPN gateway. To use XAUTH for authentication

with this remote gateway, select the option and provide username and password (twice)

as required by the remote gateway.

4. Click Save.

The gateway definition appears on the Remote Gateways list.

To either edit or delete a remote gateway definition, click the corresponding buttons.

15.2.3 Policies

On the IPsec > Policies tab you can customize parameters for IPsec connections and unite them

into a policy. An IPsec policy defines IKE (Internet Key Exchange) and IPsec proposal para-

meters of an IPsec connection. Note that each IPsec connection needs an IPsec policy.

Note – Sophos UTM only supportsthe main mode in IKE phase 1. The aggressive mode is

not supported.

To create an IPsec policy, proceed as follows:

UTM 9 WebAdmin 475





1. On the Policy tab, click New IPsec Policy .

The Add IPsec Policy dialog box opens.

2. Make the following settings:Name: Enter a descriptive name for thispolicy.

IKE encryption algorithm: The encryption algorithm specifies the algorithm used for

encrypting the IKE messages. Supported algorithmsare:

l DES(56 bit)

l 3DES(168 bit)

l AES 128 (128 bit)

l AES 192 (192 bit)

l AES 256 (256 bit)

l Blowfish(128 bit)

l Twofish(128 bit)

l Serpent (128 bit)

Security Note – We strongly recommend against using DES, as it is a weak algorithm,and therefore representsa potential vulnerability.

IKE authent ication algorithm: The authentication algorithm specifies the algorithm

used for integrity checking of the IKE messages. Supported algorithms are:

l MD5 (128 bit)

l SHA1 (160 bit)

l

SHA2 256 (256 bit)l SHA2 384(384 bit)

l SHA2 512 (512 bit)

IKE SA lifetime: This value specifies the timeframe in seconds for which the IKE SA

(security association) is valid and when the next rekeying should take place. Valid values

are between 60 sec and 28800 sec (8 hrs). The default value is 7800 seconds.

IKE DH group: When negotiating a connection, the communicating parties also settle

the actual keys used to encrypt the data. In order to generate a session key, IKE uses the

476 UTM 9 WebAdmin



Diffie-Hellman (DH) algorithm, which utilizes random data. The random data generation

is based on pool bits. The IKE group basically tells the number of pool bits. The more pool

bits, the larger the random numbers. The larger the numbers, the harder it is to crack theDiffie-Hellman algorithm. As a consequence, more poolbits mean more securitybut also

the consumption of more CPU resources. Currently, the following Diffie-Hellman groups

are supported:

l Group 1: MODP 768

l Group 2: MODP 1024





Security Note – Group 1 (MODP 768) is considered weak and only supported for

interoperability reasons. We strongly recommend against using it, as it represents a

potential vulnerability.

IPsec encryption algorithm: The same encryption algorithmsas for IKE. Additionally

there are the following entries:

l No encryption (null)

l AES 128 CTR (128 bit)



l AES 128 GCM (96 bit)






UTM 9 WebAdmin 477





Security Note – We strongly recommend against using no encryption or DES, as this

represents a potential vulnerability.

IPsec aut hentication algorithm: The same authentication algorithmsas for IKE. Addi-

tionally there are the following algorithms:

l SHA2 256 (96 bit)

l SHA2 384(96 bit)

l SHA2 512 (96 bit)

Those are available for compliance with tunnel endpoints not adhering to RFC 4868,for example UTM (i.e., ASG) versions older than V8, and therefore do not support truncated

checksums longer than 96 bit.

IPsec SA lifetime: Thisvalue specifies the timeframe in seconds for which the IPsec SA

is valid and when the next rekeying should take place. Valid valuesare between 60 sec

and 86400 sec (1 day). The default value is 3600 seconds.

IPsec PFS g roup: Perfect Forward Secrecy (PFS) refers to the notion that if a session

key is compromised, it will permit access only to data of this specificsession. In order for

PFS to exist, the key used to protect the IPsec SAmust not be derived from random key-

ing material used to get the keys for the IKE SA. Therefore, PFS initiates a second Diffie-

Hellman key exchange proposing the selected DH group for the IPsec connection to get

a new randomly generated key. Supported Diffie-Hellman groups are the same as for

IKE.

Enabling PFS is considered to be more secure, but it takes also more time for the

exchange. It is not recommended to use PFS on slow hardware.

Note – PFS is not fullyinteroperable with all vendors. If you notice problems during the

negotiation, you might consider disabling PFS.

Strict policy: If an IPsec gateway makes a proposition with respect to an encryption

algorithm and to the strength, it might happen that the gateway of the receiver accepts

this proposition, even though the IPsec policy does not correspond to it. If you select this

option and the remote endpoint does not agree on using exactly the parameters you spe-

cified, the IPsec connection will not be established. Suppose the IPsec policy of your UTM

requires AES-256 encryption, whereas, for example, a road warrior with SSH Sentinel

478 UTM 9 WebAdmin




wantsto connect with AES-128; with the strict policy option enabled, the connection

would be rejected.

Note – The compression setting will not be enforced via Strict policy .

Compression: This option specifies whether IP packets should be compressed by

means of the IP Payload Compression Protocol (IPComp) prior to encryption. IPComp

reduces the size of IP packetsby compressing them to increase the overall com-

munication performance between a pair of communicating hosts or gateways. Com-

pression is turned off by default.


3. Click Save.

The new policy appears on the Policies list.


15.2.4 Local RSA Key

With RSA authentication, RSA keys are used for authentication of the VPN endpoints. The pub-

lic keys of the endpoints are exchanged manuallybefore the connection is established. If you

want to use this authentication type, you have to define a VPN identifier and create a local RSA

key. The public RSA key of the gateway must be made available to remote IPsec devices that

use IPsec RSA authentication with Sophos UTM.

Current Local Publ ic RSA Key

Displayed is the public portion of the currently installed local RSA key pair. Click into the box,

then pressCTRL-A and CTRL-C to copyit to the clipboard.

Local RSA Key VPN Opt ions

Select the VPN ID type which best suits your needs. By default, the hostname of the gateway is

taken as the VPN identifier. If you have a static IP address as local VPN endpoint, select IP

address. Alternatively, use an email address as VPN ID for mobile IPsec road warriors.

l Hostname: Default setting; the hostname of the gateway. However, you can enter a dif-

ferent hostname here.

l

Email address: By default, thisis the email address of the gateway's admin account.

UTM 9 WebAdmin 479





However, you can enter a different email address here.

l IP address: The IP address of the external interface of the gateway.

Click Apply to save your settings. Changing the settings does not modify the RSA key.

Re-generate Local RSA Key

To generate a new RSA key, select the desired key size and click Apply . This will start the key

generation process, which can take from a few minutes up to two hours, according to your selec-

ted key length and used hardware. The key size (key length) is a measure of the number of keys

which are possible with a cipher. The length is usually specified in bits. The following key sizes

are supported:

l 1024 bits

l 2048 bits

l 4096 bits

Once the RSA key has been generated, the appropriate public key will be displayed in the Cur-

rent Local PublicRSA Key box. Generating a new RSA key will overwrite the old one.

15.2.5 AdvancedOn the Site-to-site VPN > IPsec > Advanced tab you can configure advanced optionsof IPsec

VPN. Depending on your preferred authentication type, you can define the local certificate (for

X.509 authentication) and the local RSA key (for RSA authentication), among other things.

Note that this should only be done by experienced users.

Local X .509 Cert ifi ca te

With X.509 authentication, certificates are used to verify the public keys of the VPN endpoints. If

you want to use this authentication type, you have to select a local certificate from the drop-down list in the LocalX.509 Certificate area. The selected key/certificate is then used to authen-

ticate the gateway to remote peers if X.509 authentication isselected.

You can only select certificates where the appropriate private key is present, other certificates

are not available in the drop-down list.

If there is no certificate available for selection, you have to add one in the Certificate Man-

agement menu, either by creating a new one or by importing one using the upload function.

480 UTM 9 WebAdmin



After selecting the certificate, enter the passphrase the private key was protected with. During

the saving process, the passphrase is verified and an error message is displayed if it does not

match the encrypted key.

Once an active key/certificate is selected, it is displayed in the Local X.509 Certificate area.

Dead Peer Detect ion DPD)

Use Dead Peer Detection: The dead peer detection option is used for automatically ter-

minating a connection if the remote VPN gateway or client is unreachable. For connections with

static endpoints, the tunnel will be re-negotiated automatically. Connections with dynamic end-

points require the remote side to re-negotiate the tunnel. Usually it is safe to always enable this

option. The IPsec peers automatically determine whether the remote side supportsdead peer

detection or not, and will fall backto normal mode if necessary.

NAT Traversal NAT-T)

Use NAT Traversal: Select to enable that IPsec traffic can pass upstream systems which use

Network Address Translation (NAT). Additionally, you can define the keepalive interval for NAT

traversal. Click Apply to save your settings.

CRL Handl ing

There might be situationsin which the provider of a certificate attempts to revoke the con-

firmation awarded with still valid certificates, for example if it has become known that the

receiver of the certificate fraudulently obtained it by using wrong data (name, etc.) or because

an attacker has got hold of the private key, which is part of the certified public key. For this pur-

pose, so-called Certificate Revocation Lists or CRLsare used. They normallycontain the serial

numbers of those certificatesof a certifying instance, that have been held invalid and that are still

valid according to their respective periods of validity.

After the expiration of these periods the certificate will no longer be valid and must therefore not

be maintained in the block list.

Automatic Fetching: This function automatically requests the CRL through the URL defined

in the partner certificate via HTTP, Anonymous FTP or LDAP version 3. On request, the CRL

can be downloaded, saved and updated, once the validity period hasexpired. If you use this fea-

ture but not via port 80 or 443, make sure that you set the firewall rules accordingly, so that the

CRL distribution server can be accessed.

Strict Policy: If this option is enabled, any partner certificate without a corresponding CRL will

be rejected.

UTM 9 WebAdmin 481




15.3 SSL 15 Site-to-site VPN

Preshared Key Probing

For IPsec connections using the respond-onlymode you can decide to use different preshared

keys (PSK) for each IPsec connection.

Enable probing of preshared keys: Select the checkbox to enable this option. This will

affect L2TP-over-IPsec, remote access IPsec, and VPN IPsec connections.

15.2.6 Debug

IKE Debugging

In the IKE Debugging section you can configure IKE debug options. Select the checkboxes for

which typesof IKE messages or communication you want to create debug output.

Note – The IKE Debugging section is identical across the Debug tabs of the menus Site-to-

site VPN IPsec , Remote Access IPsec , L2TP over IPsec and Cisco VPN Client .

The following flags can be logged:

l Control Flow:Displayscontrol messages of IKE state

l Outbound packets: Displays content of outgoing IKE messages

l Inbound packets:Displays content of incoming IKE messages

l Kernel messaging: Displays communication messages with the Kernel

l High availability: Displays communication with other HA nodes

15.3 SSLSite-to-site VPN tunnels can be established via an SSL connection. SSL VPN connections have

distinct roles attached. The tunnel endpoints act as either client or server. The client always ini-

tiatesthe connection, the server responds to client requests. Keep in mind that this contrasts

IPsec where both endpoints normallycan initiate a connection.

Note – If you run into problems in establishing a connection, check whether SSL scanning is

activated with the Web Filter operating in transparent mode. If so, make sure that the target

482 UTM 9 WebAdmin



host of the VPN connection has been added to the Transparent Mode Skiplist under Web Pro-

tection > Filtering Options > Misc .

15.3.1 Connections

To create an SSLVPN site-to-site tunnel, it is crucial to create the server configuration first. The

configuration of the client hasalways to be the second step.

To create a server configuration, proceed as follows:

1. On the Co nnections tab, click New SSL Connection.

The Add SSL Connection dialog box opens.


Connection type: Select Server from the drop-down list.

Connection name: Enter a descriptive name for the connection.

Use static virtual IP address (optional): Only select this option if the IP address pool is

not compatible with the client's network environment: By default clients are assigned an

IP address from the Virtual IP Pool (configurable on Settings tab). Rarely, it may happen

that such an IP address isalready in use on the client's host. In that case enter a suitable

IP address in the Static Peer IP field which will then be assigned to the client during tunnel

setup.

Local networks: Select or add one or more local networks that are allowed to be

accessed remotely. How to add a definition isexplained on the Definitions & Users > Net-


Remote networks: Select or add one or more remote networks that are allowed to con-

nect to the local network(s).

Note – You can change the Localnetworks and Remote networks settings later

without having to reconfigure the client.

Automatic firewall rules (optional): When enabled, the UTM will automatically allow

access to the selected local networks for all accessing SSL VPN clients.


UTM 9 WebAdmin 483

15 Site-to-site VPN 15.3 SSL




3. Click Save.

The new SSL server connection appears on the Connections list.

4. Download the configuration file.Use the Download button, which is located in the newly created SSL server connection

row, to download the client configuration file for this connection.

Encrypt configuration file (optional): It is advisable to encrypt the configuration file for

securityreasons. Enter a password twice.

Click Download peer config to save the file.

This file is needed by the client-side administrator in order to be able to set up the client

endpoint of the tunnel.

The next step is the client configuration which hasto take place on client side and not on server

side. Ensure that the downloaded client configuration file is at hand.

To create a client configuration, proceed as follows:

1. On the Con nections tab, click New SSL Connection.

The Add SSL Connection dialog box opens.


Connection type: Select Client from the drop-down list.

Connection name: Enter a descriptive name for the connection.

Configuration file: Click the Folder icon, browse for the client configuration file and

click Start Upload .

Password (optional): If the file has been encrypted, enter the password.

Use HTT P proxy server (optional): Select the checkbox if the client is located behind a

proxy and enter the settings for the proxy.

Proxy requires authentication (optional): Select the checkbox if the client

needs to authenticate against the proxy and enter username and password.

Override peer hostname (optional): Select the checkboxand enter a hostname here if

the server system's regular hostname (or DynDNS hostname) cannot be resolved from

the client host.

Automatic firewall rules (optional): When enabled, the UTM will automatically allow

traffic between hosts on the tunneled local and remote networks.


484 UTM 9 WebAdmin



3. Click Save.

The new SSL VPN client connection appears on the Connections list.

To either edit or delete a client connection, click the corresponding buttons.

Click on the Site-to-site VPN menu to see the status of the SSL VPN connection on the overview

page. The status icon there turns green when the connection is established. Then information

about the interconnected subnets on both sides of the tunnel becomes available, too.

15.3.2 Settings

On the SSL > Settings tab you can configure the basic settings for SSL VPN server connections.

Note – Thistab is identical for Site-to-site VPN > SSL and Remote Access> SSL. Changes

applied here always affect both SSL configurations.

Server Settings

You can make the following settings for the SSL VPN connection:

l Interface Add ress:Default value is Any . When using the web application firewall you

need to give a specific interface address for the service to listen for SSL connections. This

is necessary for the site-to-site/remote accessSSL connection handler and the web

application firewall to be able to differentiate between the incoming SSL connections.

l Protocol: Select the protocol to use. You can choose either TCP or UDP .

l Port: You can change the port. The default port is443. You cannot use port 10443,the

SUM Gateway Manager port 4422, or the port used by the WebAdmin interface.

l Override Hostname:The value in the Override Hostname box is used as the target host-

name for client VPN connectionsand is by default the hostname of the gateway. Only

change the default if the system's regular hostname (or DynDNS hostname) cannot be

reached under thisname from the Internet.

V irtua l IP Pool

Pool Network: This is the virtual IP address pool which is used to distribute IP addresses from

a certain IP range to the SSL clients. By default, the VPN Pool (SSL) is selected. In case you

select a different address pool, the netmask must not be greater than 29 bits, for OpenVPN can-

not handle address pools whose netmask is/30, /31, or /32. Note that the netmask is limited to

a minimum of 16.

UTM 9 WebAdmin 485

15 Site-to-site VPN 15.3 SSL




Dupl icate CN

Select Allow Multiple Concurr ent Connections Per User if you want to allow your users to con-

nect from different IP addresses at the same time. When disabled, only one concurrent SSL

VPN connection isallowed per user.

15.3.3 Advanced

On the SSL > Advanced tab you can configure various advanced server options ranging from

the cryptographic settings, through compression settings, to debug settings.

Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL. Changes


Cryptographic Sett ings

These settings control the encryption parameters for all SSL VPN remote access clients:

l Encryption Algorithm:The encryption algorithm specifies the algorithm used for

encrypting the data sent through the VPN tunnel. The following algorithms are sup-

ported, which are all in Cipher BlockChaining (CBC) mode:l DES-EDE3-CBC

l AES-128-CBC (128 bit)



l BF-CBC (Blowfish (128 bit))

l Authent ication Algorithm: The authentication algorithm specifies the algorithm used

for checking the integrity of the data sent through the VPN tunnel. Supported algorithms

are:

l MD5 (128 bit)

l SHA-1 (160 bit)

l SHA2 256 (256 bit)

l SHA2 384(384 bit)

l SHA2 512 (512 bit)

486 UTM 9 WebAdmin



l Key Size: The key size (key length) is the length of the Diffie-Hellman key exchange. The

longer this key is, the more secure the symmetrickeys are. The length is specified in bits.

You can choose between a key size of 1024 or 2048 bits.

l Server Certificate: Select a local SSL certificate to be used by the SSL VPN server to

identifyitself against the clients.

l Key Lifetime: Enter a time period after which the key will expire. The default is 28,800

seconds.

Compression Settings

Compress SSL VPN Traffic: When enabled, all data sent through SSL VPN tunnels willbe

compressed prior to encryption.

Debug Settings

Enable Debug Mode: When enabling debug mode, the SSL VPN log file will contain extended

information useful for debugging purposes.

15.4 Certificate ManagementThe Site-to-site VPN > Certificate Management menu is the central place to manage all cer-

tificate-related operations of Sophos UTM. This includes creating or importing X.509 cer-


15.4.1 Certificates

On the Site-to-site VPN > Certificate Management > Certificates tab you can create or import

public key certificates in the X.509 standard format. Such certificatesare digitally signed state-

ments usuallyissued by a Certificate Authority (CA) binding together a public key with a par-

ticular Distinguished Name (DN) in X.500 notation.

All certificates you create on this tab contain an RSA key. They are signed by the self-signed cer-

tificate authority(CA) VPN Signing CAthat was created automatically using the information you

provided during the initial login to the WebAdmin interface.

To generate a certificate, proceed as follows:

1. On the Certificates tab, click New Certificate.

The Add Certificate dialog box opens.

UTM 9 WebAdmin 487

15 Site-to-site VPN 15.4 Certificate Management



15.4 Certificate Management 15 Site-to-site VPN


Name: Enter a descriptive name for thiscertificate.

Method: To create a certificate, select Generate (for more information on uploading cer-tificates, see below).

Key size: The length of the RSA key. The longer the key, the more secure it is. You can

choose among key sizes of 1024, 2048, or 4096 bits. Select the maximum key size com-

patible with the application programsand hardware devices you intend to use. Unless

longer keyscause critical performance issues for your specific purposes, do not reduce

the key size in order to optimize performance.

VPN ID type: You have to define a unique identifier for the certificate. The following

types of identifiers are available:

l Email address

l Hostname

l IP address

l Distinguished name

VPN ID: Depending on the selected VPN ID type, enter the appropriate value into this

text box. For example, if you selected IP address from the VPN ID type list, enter an IPaddress into this text box. Note that thistext box will be hidden when you select Distin-

guished Name from the VPN ID type list.

Use the drop-down lists and text boxes from Country to Email to enter identifying inform-

ation about the certificate holder. This information is used to build the Distinguished

Name, that is, the name of the entity whose public key the certificate identifies. This name

contains a lot of personal information in the X.500 standard and is supposed to be unique

across the Internet. If the certificate is for a road warrior connection, enter the name of

the user in the Common name box. If the certificate is for a host, enter a hostname.


3. Click Save.

The certificate appears on the Certificates list.

To delete a certificate click the button Delete of the respective certificate.

Alternatively, to upload a certificate, proceed as follows:

1. On the Certificates tab, click New Certificate.

The Add Certificate dialog box opens.

488 UTM 9 WebAdmin




Name: Enter a descriptive name for thiscertificate.

Method: Select Upload .

File type: Select the file type of the certificate. You can upload certificatesbeing one of

the following types:

l PKCS#12 (Cert+CA): PKCS refers to a group of Public KeyCryptography Stand-

ards (PKCS) devised and published by RSA laboratories. The PKCS#12 file format

is commonly used to store private keys with accompanying publickey certificates

protected with a container passphrase. You must know this container passphrase

to upload files in this format.

l PEM (Cert only): A Base64 encoded Privacy Enhanced Mail (PEM) file format

with no password required.

File: Clickthe Folder icon next to the File boxand select the certificate you want to

upload.


3. Click Save.

The certificate appears on the Certificates list.

To delete a certificate clickthe button Delete of the respective certificate.

You can download the certificate either inPKCS#12 or asPEM format. ThePEM file only contains

the certificate itself, while thePKCS#12 file also contains the private key as well as the CA cer-

tificate with which it was signed.


On the Site-to-site VPN > Certificate Management > Certificate Authority tab you can add new

Certificate Authorities to the unit. Generallyspeaking, a certificate authority or Certification

Authority (CA) isan entity which issues digital certificates for use by other parties. A CA attests

that the publickey contained in the certificate belongs to the person, organization, host, or other

entity noted in the certificate by signing the certificate signing request with the private key of the

CA's own certificate. Such a CA is therefore called a signing CA.

On UTM, the signing CA was created automaticallyusing the information you provided during

the initial login to UTM. Thus, all certificates you create on the Certificates tab are self-signed

certificates, meaning that the issuer and the subject are identical. However, you can

UTM 9 WebAdmin 489




15.4 Certificate Management 15 Site-to-site VPN

alternatively import a signing CA by third-party vendors. In addition, to verify the authenticity of a

host or user requesting an IPsec connection, you can also use alternative CA certificateswhose

private keys are unknown. Those CA certificates are called verification CAs and can be added

on this tab as well.

Important Note – You can have multiple verification CAs on your system, but only one sign-

ing CA. So if you upload a new signing CA, the previously installed signing CA automatically

becomes a verification CA.

To import a CA, proceed asfollows:

1. On the Certificate Authority tab, click Import CA.

The Import CA dialog box opens.


Name: Enter a descriptive name for this CA.

Type: Select the type of CA you are going to import. You can choose between veri-

fication CAs or signing CAs. A verification CA must be available in thePEM format, while a

signing CA must be available in thePKCS#12 format.

CA Certificate: Click the Folder icon next to the CA Certificate box and select the cer-

tificate you want to import. Note that if you are to upload a new signing CA, you must

enter the password with which thePKCS#12container was secured.


3. Click Save.

The new CA certificate appears on the Certificate Authority list.

To delete a CA click the button Delete of the respective CA.

The signing CA can be downloaded in PKCS#12 format. You will then be prompted to enter apassword, which will be used to secure the PKCS#12container. In addition, verification CAs can

be downloaded inPEM format.


A CRL is a list of certificates (more precisely, their serial numbers) which have been revoked,

that is, are no longer valid, and should therefore not be relied upon. On the Site-to-site VPN >

Certificate Management > Revocation Lists (CRLs) tab you can upload the CRL that is

deployed within your PKI.

490 UTM 9 WebAdmin



To upload a CRL, proceed as follows:

1. On the Revocation Lists (CRLs) tab, click Upload CRL.

The Upload CRL dialog box opens.


Name: Enter a descriptive name for thisCRL.

CRL File: Clickthe Folder icon next to the CRL File box and select the CRL you want to

upload.


3. Click Save.

The new CRL appearson the list of revocation lists.

To delete a CRL click the button Delete of the respective CRL.

15.4.4 Advanced

On the Site-to-site VPN > Certificate Management > Advanced tab you can re-generate the

VPN Signing CA that was created during the initial setup of the unit. The VPN Signing CA is the

certificate authority with which digital certificates are signed that are used for remote accessand

site-to-site VPN connections. The old VPN signing CA will be kept as verification CA.

Re-generate Signing CA

You can renew all user certificates using the current signing CA. Thisbecomesrelevant once

you have installed an alternative VPN Signing CA on the Certificate Authority tab.

Caution – The UTM and all user certificateswill be re-generated using the new signing CA.

This will break certificate-based site-to-site and remote access VPN connections.

UTM 9 WebAdmin 491






16 Remote AccessThischapter describes how to configure remote accesssettings of Sophos UTM. Remote

access using Sophos UTM isrealized by means of Virtual Private Networks (VPNs), which are a

cost effective and secure way to provide remote users such as telecommuting employees

access to the corporate network. VPNs use cryptographic tunneling protocols such as IPsec

and PPTP to provide confidentiality and privacy of the data transmitted over them.

Cross Reference – More information on how to configure remote access VPN connections

can be found in the Sophos Knowledgebase.

The UTM automatically generates necessary installation and configuration files for the respect-

ive remote access connection type. Those files can be downloaded directly from the User

Portal. However, only those files are available to a user that correspond to the connection types

enabled for them, e.g., a user who hasbeen enabled to use SSL remote access will find an SSL

installation file only.

Note – You can download remote accessconfiguration files of all or selected users on the

Definitions & Users > Users & Groups> Users tab.

The Remote Access Status page contains an overview of all online users.


l SSL

l PPTP

l

L2TP over IPsec

l IPsec

l HTML5 VPN Portal

l Cisco VPN Client

l Advanced





16.1 SSL 16 Remote Access

16.1 SSLThe remote access SSL feature of Sophos UTM is realized by OpenVPN, a full-featured SSL

VPN solution. It provides the ability to create point-to-point encrypted tunnels between remote

employees and your company, requiring both SSL certificatesand a username/password com-

bination for authentication to enable accessto internal resources. In addition, it offers a secure

User Portal, which can be accessed by each authorized user to download a customized SSL

VPN client software bundle. This bundle includes a free SSL VPN client, SSL certificatesand a

configuration that can be handled by a simple one-click installation procedure. ThisSSL VPN cli-

ent supports most business applications such as native Outlook, native Windows file sharing,and many more.

Cross Reference – More information on how to use the SSL VPN client can be found in the

SophosKnowledgebase.

16.1.1 Profiles

On the Remote Access> SSL > Profiles tab you can create different profiles for remote access

users defining basic settings for SSL VPN access.

To configure an SSL VPN profile, proceed as follows:

1. On the Profiles tab, click New Remote Access Profile.

The Add Remote Access Profile dialog box opens.


Profile name: Enter a descriptive name for this profile.

Users and groups: Select the users or user groupsor add new users that should be

able to use SSL VPN remote access with this profile. How to add a user is explained on

the Definitions& Users > Users & Groups > Users page.

Local networks: Select or add the local network(s) that should be reachable to the

selected SSL clientsthrough the VPN SSL tunnel. How to add a definition is explained on


494 UTM 9 WebAdmin




Note – By default, the SSL VPN solution of Sophos UTM employs so-called split tun-

neling, that is, the process of allowing a remote VPN user to access a public network,

for example, the Internet, at the same time that the user is allowed to access resources

on the VPN. However, split tunneling can be bypassed if you select Any in the Local net-

works field. Thus, all traffic will be routed through the VPN SSL tunnel. Whether users

are allowed to access a public network then depends on your firewall configuration.

Automatic firewall rules: Select this option to automatically add firewall rules that allow

traffic for thisprofile. The rules are added as soon as the profile is enabled, and they are

removed when the profile is disabled. If you do not select this option, you need to specify

appropriate firewall rules manually.


3. Click Save.

The new profile appearson the Profiles list.

To either edit or delete a profile, click the corresponding buttons.

Note – The Remote Access menu of the User Portal is only available to users who are selec-

ted in the Users and groups box and for whom a user definition does exist on the UTM (see

Definitions & Users > Users & Groups> Users). Authorized users who have successfully

logged in to the User Portalfind the SSL VPN client software bundle as well as a link to install-

ation instructions, which are available at the SophosKnowledgebase. Downloading may fail

with some browsers on Android if the CA certificate is not installed or if the hostname does not

match the common name in the portal certificate. In this case, the user needs to installthe CA

certificate or try another browser.

Open L ive Log

The OpenVPN Live Log logs remote access activities. Click the button to open the live log in a

new window.

16.1.2 Settings

On the SSL > Settings tab you can configure the basic settings for SSL VPN server connections.

UTM 9 WebAdmin 495

16 Remote Access 16.1 SSL




16.1 SSL 16 Remote Access

Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL. Changes


Server Sett ings

You can make the following settings for the SSL VPN connection:

l Interface Add ress:Default value is Any . When using the web application firewall you

need to give a specific interface address for the service to listen for SSL connections. This

isnecessary for the site-to-site/remote access SSL connection handler and the web

application firewall to be able to differentiate between the incoming SSL connections.

l Protocol: Select the protocol to use. You can choose either TCP or UDP .

l Port: You can change the port. The default port is443. You cannot use port10443, the

SUM GatewayManager port 4422, or the port used by the WebAdmin interface.

l Override Hostname:The value in the Override Hostname box is used as the target host-

name for client VPN connectionsand is by default the hostname of the gateway. Only

change the default if the system's regular hostname (or DynDNS hostname) cannot be

reached under this name from the Internet.

V irtual IP Poo l

Pool Network: This is the virtualIP address pool which is used to distribute IP addresses from

a certain IP range to the SSL clients. By default, the VPN Pool (SSL) is selected. In case you

select a different address pool, the netmask must not be greater than 29 bits, for OpenVPN can-

not handle address pools whose netmask is/30, /31, or /32. Note that the netmask is limited to

a minimum of 16.

Dupl icate CN

Select Allow Multiple Concurr ent Connections Per User if you want to allow your users to con-nect from different IP addresses at the same time. When disabled, only one concurrent SSL

VPN connection isallowed per user.

16.1.3 Advanced

On the SSL > Advanced tab you can configure various advanced server options ranging from

the cryptographic settings, through compression settings, to debug settings.

496 UTM 9 WebAdmin



Note – Thistab is identical for Site-to-site VPN > SSL and Remote Access> SSL. Changes


Cryptographic Sett ings

These settings control the encryption parameters for all SSL VPN remote access clients:

l Encryption Algorithm:The encryption algorithm specifies the algorithm used for

encrypting the data sent through the VPN tunnel. The following algorithms are sup-

ported, which are all in Cipher Block Chaining (CBC) mode:

l DES-EDE3-CBC




l BF-CBC (Blowfish (128 bit))

l Authent ication Algorithm: The authentication algorithm specifies the algorithm used

for checking the integrity of the data sent through the VPN tunnel. Supported algorithms

are:

l MD5 (128 bit)

l SHA-1(160 bit)

l SHA2 256 (256 bit)

l SHA2 384(384 bit)

l SHA2 512 (512 bit)

l Key Size: The key size (key length) is the length of the Diffie-Hellman key exchange. The

longer this key is, the more secure the symmetrickeys are. The length is specified in bits.

You can choose between a key size of 1024 or 2048 bits.

l Server Certificate: Select a local SSL certificate to be used by the SSL VPN server to

identifyitself against the clients.

l Key Lifetime: Enter a time period after which the key will expire. The default is 28,800

seconds.

Compression Settings

Compress SSL VPN Traffic: When enabled, all data sent through SSL VPN tunnels willbe

compressed prior to encryption.

UTM 9 WebAdmin 497

16 Remote Access 16.1 SSL



16.2 PPTP 16 Remote Access

Debug Sett ings

Enable Debug Mode: When enabling debug mode, the SSL VPN log file will contain extended

information useful for debugging purposes.

16.2 PPTPPoint-to-Point Tunneling Protocol (PPTP) allows single Internet-based hosts to access internal

network services through an encrypted tunnel. PPTP is easy to configure and requires no spe-

cial client software on Microsoft Windows systems.

PPTP is included with versionsof Microsoft Windows starting with Windows 95. In order to use

PPTP with Sophos UTM, the client computer must support the MSCHAPv2 authentication pro-

tocol. Windows 95 and 98 users must apply an update to their systems in order to support this

protocol.

16.2.1 Global

To configure global PPTP options, proceed as follows:

1. On the Global tab, enable PPTP remote access.


The toggle switch turns amber and the Main Settings area becomes editable.


Authentication via: Select the authentication mechanism. PPTP remote accessonly

supports local and RADIUS authentication.

l

Local: If you select Local , specify the users and user groups who should be able touse PPTP remote access. It is not possible to drag backend user groups into the

field. Until a user account has been specified, PPTP remote access cannot be activ-

ated.

Note – Username and password of the selected users may only contain ASCII

printable characters1.


498 UTM 9 WebAdmin




Note – Similar to SSL VPN, the Remote Access menu of the User Portalis only

available to users who are selected in the Users and groups box and for whom a

user definition doesexist on the UTM. Authorized users who have successfully

logged in to the User Portal will find a link to installation instructions, which are

available at the Sophos Knowledgebase.

l RADIUS: RADIUS can only be selected if a RADIUS server hasbeen previously

configured. With this authentication method users will be authenticated against an

external RADIUS server that can be configured on the Definitions & Users >

Authentication Services > Servers tab. The Users and Groups dialog box willbe

grayed out. However, its settingscan still be changed, which hasno effect. TheRADIUS server must support MSCHAPv2 challenge-response authentication.

The server can pass back parameters such as the client's IP address and

DNS/WINS server addr esses. The PPTP module sends the following string as

NAS-ID to the RADIUS server: pptp. Note that when RADIUS authentication is

selected, local users cannot be authenticated with PPTP anymore. Note further

that clients must support MSCHAPv2 authentication as well.

Assign IP addresses by: IP addresses can be either assigned from a predefined IP

address poolor distributed automatically by means of a DHCP server:

l IP Address Pool: Select this option if you want to assign IP addresses from a cer-

tain IP range to the clientsgaining remote access through PPTP. By default,

addresses from the private IP space 10.242.1.0/24 are assigned. This network

definition is called the VPN Pool (PPTP) and can be used in all network-specific

configuration options. If you want to use a different network, simply change the

definition of the VPN Pool (PPTP) on the Definitions & Users > Network Definitions

page. Alternatively, you can create another IP address pool by clicking the Plus

icon next to the Pool network text box. Note that the netmask is limited to a min-

imum of 16.

l DHCP Server: If you select DHCP Server , also specify the network interface

through which the DHCP server is connected. The DHCP server does not have to

be directly connected to the interface—it can also be accessed through a router.

Note that the local DHCP server is not supported; the DHCP server selected here

must be running on a physically different system.

3. Click Apply .


UTM 9 WebAdmin 499

16 Remote Access 16.2 PPTP





16.2 PPTP 16 Remote Access

L ive Log

The PPTP Daemon Live Log logsall PPTP remote access activities. Click the button to open the

live log in a new window.

16.2.2 iOS Devices

You can enable that iOS device users are offered automatic PPTP configuration in the User

Portal.

However, only usersthat have been added to the Users and groups box on the Global tab will

find configuration files on their User Portal site. The iOS device statusis enabled by default.

Connection name: Enter a descriptive name for the PPTP connection so that iOS device

users mayidentify the connection they are going to establish. The default name isyour com-

pany name followed by the protocol PPTP.

Note – Connection Namemust be unique among all iOS device connection settings (PPTP,

L2TP over IPsec, Cisco VPN Client).

Override host name: In case the system hostname cannot be publicly resolved by the client,you can enter a server hostname here that overridesthe internal preference of the DynDNS

Hostname before the System DNS Hostname.

To disable automatic iOS device configuration, click the toggle switch.

The toggle switch turns gray.

16.2.3 Advanced

On the Remote Access> PPTP > Advanced tab you can configure the encryption strength and

the amount of debug output with regard to PPTP remote access. Note that advanced PPTP

optionscan only be configured if PPTP remote access status is enabled on the Global tab.

Encryption Strength

You can choose between strong (128-bit) and weak (40-bit) tunnel encryption (MPPE). Do not

use weak encryption unless you have endpoints that do not support 128-bit encryption.

500 UTM 9 WebAdmin



Debug Mode

Enable Debug Mode: This option controls how much debug output isgenerated in the PPTP

log. Select this option if you encounter connection problems and need detailed information

about the negotiation of client parameters, for example.

16.3 L2TP over IPsecL2TP, short for Layer Two (2) Tunneling Protocol , is a data link layer (layer 2 of the OSI model)

protocol for tunneling network traffic between two peers over an existing network (usually the

Internet), better known as VPNs. Because of the lack of confidentiality inherent in the L2TP pro-tocol, it is often combined with IPsec, which provides confidentiality, authentication, and integ-

rity. The combination of these two protocols is also known as L2TP over IPsec. L2TP over IPsec

allows you, while providing the same functions as PPTP, to give individual hosts access to your

network through an encrypted IPsec tunnel.

16.3.1 Global

On the L2TP over IPsec > Global tab you can configure basic optionsfor setting up remoteaccess via L2TPover IPsec.

To use L2TP over IPsec, proceed as follows:

1. On the Global tab enable L2TP over IPsec.


The toggle switch turns amber and the Server Settings and IP AddressAssignment area

becomes editable.

2. Make the following settings:Interface: Select the network interface to be used for L2TP VPN access.

Authentication mode: You can choose between the following authentication modes:

l Preshared key: Enter a password which is subsequently used as preshared key.

The Preshared Key method makes use of a shared secret that is exchanged by

the communicating parties prior to the communication taking place. To com-

municate, both parties prove that they know the secret. The shared secret is a

secure phrase or password that is used to encrypt the traffic using the encryption

UTM 9 WebAdmin 501

16 Remote Access 16.3 L2TP over IPsec



16.3 L2TP over IPsec 16 Remote Access

algorithm for L2TP. For best security, you should take appropriate measures to

increase the strength of the shared secret. The security of a shared secret

depends on the quality of the password and how securely it hasbeen transmitted.Passwords consisting of common words are extremely vulnerable to dictionary

attacks. For that reason, the shared secret should be quite long and contain a vari-

ety of letters, capital letters, and numbers. Consequently, using a preshared

secret as an authentication method should be replaced by certificates whenever

possible.

Note – If you want to enable access for iOS devices you need to select Pre-

shared Key because iOS devices only support PSK authentication.

l X.509 CA check:X.509 certificatesease the process of exchanging public

authentication keys in large VPN setups with a lot of participants. A so-called CA

gathersand checksthe public keys of the VPN endpointsand issues a certificate

for each member. The certificate contains the peer's identity along with its public

key. Because the certificate isdigitally signed, no one else can issue a forged cer-

tificate without being detected.

During the key exchange, certificates are exchanged and verified using locally

stored CA publickeys. The actual authentication of the VPN endpoints is thendone by using public and private keys. If you want to use this authentication mode,

select an X.509 certificate.

Note that for X.509 authentication to work, you need to have a valid CA configured

on the Remote Access > Certificate Management > Certificate Authority tab.

Assign IP add resses by: IP addresses can be either assigned from a predefined IP

address pool or distributed automatically by means of a DHCP server:

l Pool network: By default, IP Address Pool is selected as IP address assignment,having the pre-defined VPN Pool (L2TP) network definition selected as thePool

Network .The VPN Pool (L2TP) is a randomly generated network from the

10.x.x.x IP address space for private Internets, using a class C subnet. It is nor-

mally not necessary to ever change this, as it ensures that the users have a ded-

icated pool of addresses to make connectionsfrom. If you want to use a different

network, you can simply change the definition of the VPN Pool (L2TP), or assign

another network as IP address pool here. Note that the netmask is limited to a min-

imum of 16.

502 UTM 9 WebAdmin



Note – If you use private IP addresses for your L2TP VPN Pool and you want

IPsec hosts to be allowed to access the Internet, appropriate masquerading or

NAT rules must be in place for the IP address pool.

l DHCP Server: If you select DHCP Server , also specify the network interface

through which the DHCP server is connected. The DHCP server does not have to

be directly connected to the interface—it can also be accessed through a router.

Note that the local DHCP server is not supported; the DHCP server selected here

must be running on a physically different system.

3. Click Apply .Your settingswill be saved.


Access Cont ro l

Authentication via: L2TP remote access only supports local and RADIUS authentication.

l Local: If you select Local , specify the users and user groups who should be able to use

L2TP remote access. It is not possible to drag backend user groups into the field. For

localusers you need to add usersin the usual way and enable L2TP for them. If no users

or groups are selected, L2TP remote accessis turned off. How to add a user is explained

on the Definitions& Users > Users & Groups > Users page.

Note – Username and password of the selected users may only contain ASCII print-

able characters1.

Note – Similar to SSLVPN the Remote Access menu of the User Portal isonly available

to userswho are selected in the Users and groups box and for whom a user definition

does exist on the UTM. Depending on the authentication mode, authorized users who

have successfully logged in to the User Portal find the IPsec pre-shared key (authen-

tication mode Preshared key ) or the PKCS#12 file (authentication mode X.509 CA

Check ) as well as a link to installation instructions, which are available at the Sophos

Knowledgebase).


UTM 9 WebAdmin 503

16 Remote Access 16.3 L2TP over IPsec






16.3 L2TP over IPsec 16 Remote Access

l RADIUS: If you select RADIUS, the authentication requests are forwarded to the

RADIUS server. The L2TP module sends the following string as NAS-ID to the RADIUS

server: l2tp.

The authentication algorithm getsautomatically negotiated between client and server. For local

users, Sophos UTM supportsthe following authentication protocols:

l MSCHAPv2

l PAP

By default, a Windows client negotiatesMSCHAPv2.

For RADIUS users, Sophos UTM supportsthe following authentication protocols:

l MSCHAPv2

l MSCHAP

l CHAP

l PAP

16.3.2 iOS Devices

You can enable that iOS device users are offered automatic L2TP over IPsec configuration in

the User Portal.



Connection name: Enter a descriptive name for the L2TP over IPsec connection so that iOS

device users mayidentify the connection they are going to establish. The default name is your

company name followed by the protocol L2TP over IPsec.

Note – Connection Namemust be unique among all iOS device connection settings (PPTP,


Override host name: In case the system hostname cannot be publicly resolved by the client,

you can enter a server hostname here that overridesthe internal preference of the DynDNS




504 UTM 9 WebAdmin



16.3.3 Debug

IKE Debugging


which types of IKE messages or communication you want to create debug output.




l Control Flow:Displays control messages of IKE state

l Outbound packets:Displays content of outgoing IKE messages

l Inboun d packets:Displays content of incoming IKE messages



L2TP Debugging

If Enable debug mode is selected, the IPsec VPN log file will contain extended information about

L2TP or PPP connection negotiation.

16.4 IPsecIP Security (IPsec) isa standard for securing Internet Protocol (IP) communications by encrypt-

ing and/or authenticating all IP packets.

The IPsec standard defines two service modes and two protocols:

l Transport mode

l Tunnelmode

l Authentication Header (AH) authentication protocol

l Encapsulated Security Payload (ESP) encryption (and authentication) protocol

UTM 9 WebAdmin 505

16 Remote Access 16.4 IPsec



16.4 IPsec 16 Remote Access

IPsec also offers methods for manual and automatic management of Security Associations

(SAs) as well as key distribution. These characteristics are consolidated in a Domain of Inter-

pretation (DOI).

IPsec Modes

IPsec can work in either transport mode or tunnel mode. In principle, a host-to-host connection

can use either mode. If, however, one of the endpoints is a security gateway, the tunnel mode

must be used. The IPsec VPN connectionson this UTM always use the tunnel mode.

In transport mode, the originalIP packet is not encapsulated in another packet. The originalIP

header is retained, and the rest of the packet issent either in clear text (AH) or encrypted

(ESP). Either the complete packet can be authenticated with AH, or the payload can be encryp-

ted and authenticated using ESP. In both cases, the originalheader is sent over the WAN in

clear text.

In tunnel mode, the complete packet—header and payload—is encapsulated in a new IP

packet. An IP header is added to the IP packet, with the destination address set to the receiving

tunnel endpoint. The IP addresses of the encapsulated packetsr emain unchanged. The ori-

ginal packet isthen authenticated with AH or encrypted and authenticated using ESP.

IPsec Protocols

IPsec uses two protocols to communicate securelyon the IP level.

l Authent ication Header (AH): A protocol for the authentication of packet senders and

for ensuring the integrity of packet data.

l Encapsulating Security Payload (ESP): A protocol for encrypting the entire packet

and for the authentication of its contents.

The Authentication Header protocol (AH) checks the authenticity and integrity of packet data. In

addition, it checksthat the sender and receiver IP addresses have not been changed in trans-

mission. Packets are authenticated using a checksum created using a Hash-based Message

Authentication Code (HMAC) in connection with a key. One of the following hashing algorithms

will be used:

l Message Digest Version 5 (MD5):Thisalgorithm generates a 128-bit checksum from

a message of anysize. This checksum is like a fingerprint of the message, and will change

if the message is altered. This hash value is sometimes also called a digitalsignature or amessage digest.

506 UTM 9 WebAdmin



l The Secure Hash (SHA-1): This algorithm generates a hash similar to that of MD5,

though the SHA-1 hash is 160 bits long. SHA-1 is more secure than MD5, due to its

longer key.

Compared to MD5, an SHA-1 hash is somewhat harder to compute, and requires more CPU

time to generate. The computation speed depends, of course, on the processor speed and the

number of IPsec VPN connections in use at the Sophos UTM.

In addition to encryption, the Encapsulated Security Payload protocol (ESP) offers the ability to

authenticate senders and verify packet contents. If ESP is used in tunnelmode, the complete IP

packet (header and payload) is encrypted. New, unencrypted IP and ESP headers are added

to the encapsulating packet: The new IP header contains the address of the receiving gateway

and the address of the sending gateway. These IP addresses are those of the VPN tunnel.

For ESP with encryption normallythe following algorithms are used:

l Triple Data Encryption Standard (3DES)

l Advanced Encryption Standard (AES)

Of these, AES offers the highest standard of security. The effective key lengthsthat can be used

with AES are 128, 192 and 256 bits. Sophos UTM supportsa number of encryption algorithms.

Either the MD5 or SHA-1 algorithmscan be used for authentication.

NAT Traversal (NAT-T)

NAT traversal is a technology for establishing connections between hosts in TCP/IP networks

which use NAT devices. This is achieved by using UDP encapsulation of the ESP packets to

establish IPsec tunnels through NAT devices. UDP encapsulation is only used if NAT is detected

between the IPsec peers; otherwise normal ESP packets will be used.

With NAT traversal you are able to place the gateway or a road warrior behind a NAT router

and still establish an IPsec tunnel. Both IPsec peers must support NAT traversal if you want to

use this feature, which is automatically negotiated. Make sure that the NAT device has IPsec-

passthrough turned off, because this could impair the use of NAT traversal.

If road warriors want to use NAT traversal, their corresponding user object in WebAdmin must

have a static remote access IP address (RAS address) set (see also Use Static Remote Access

IP on the Users page in WebAdmin).

By default, a NAT traversal keep-alive signal is sent at intervals of 60 seconds to prevent an

established tunnel from expiring when no data is transmitted. The keep-alive messages are

UTM 9 WebAdmin 507





sent to ensure that the NAT router keeps the state information associated with the session so

that the tunnelstaysopen.

TOS

Type of Service bits (TOS bits) are severalfour-bit flagsin the IP header. These bits are

referred to as Type of Service bits because they allow the transferring application to tellthe net-

work which type of service quality is necessary.

With the IPsec implementation of Sophos UTM the TOS value is always copied.

16.4.1 ConnectionsOn the IPsec > Connections tab you can create and edit IPsec connections.

To create an IPsec connection, proceed as follows:

1. On the Con nections tab, click New IPsec Remote Access Rule.

The Add IPsec Remote Access Rule dialog box opens.



Interface: Select the name of the interface which is used as the local endpoint of the

IPsec tunnel.


VPN tunnel. How to add a definition is explained on the Definitions& Users > Network


Virtual IP pool: The IP address pool where clients get an IP address assigned from in

case they do not have a static IP address. The default pool is VPN Pool (IPsec) which

comprises the private IP space 10.242.4.0/24. You can, however, select or create a dif-

ferent IP address pool. Note that the netmask is limited to a minimum of 16. How to add a


itions page.

Policy: Select the IPsec policy for this IPsec connection. IPsec policies can be defined on

the Remote Access > IPsec > Policies tab.

Authentication type: Select the authentication type for this remote gateway definition.


508 UTM 9 WebAdmin



l Preshared key: Authentication with Preshared Keys (PSK) usessecret pass-

words as keys. These passwords must be distributed to the endpoints before

establishing the connection. When a new VPN tunnel isestablished, each side

checks that the other knows the secret password. The security of PSKs depends

on the quality of the passwords used: common words and phrases are subject to

dictionary attacks. Permanent or long-term IPsec connections should use cer-

tificates instead.

l X.509 certificate: The X.509 Certificate authentication scheme uses public keys

and private keys. An X.509 certificate contains the public key together with inform-

ation identifying the owner of the key. Such certificatesare signed and issued by a

trusted Certificate Authority (CA). Once selected, specify the users that should be

allowed to use this IPsec connection. Unless you select the checkbox Automatic

firewall rules, you need to specify appropriate firewall rules manually in the Net-

work Protection menu.

Note – The User Portalcan only be accessed by users who are selected in the

Allowed users boxand for whom a user definition does exist on the UTM. Author-

ized users who have successfully logged in to the User Portalfind the Sophos

IPsec Client (SIC), its configuration file, thePKCS#12 file as well as a link to install-

ation instructions, which are available at the SophosKnowledgebase.

l CA DN match: This authentication type uses a match of the Distinguished Name

(DN) of CA certificatesto verify the keys of the VPN endpoints. Once selected,

select an Authority and choose a DN mask that matchesthe DNs of remote access

clients. Now select or add a Peer Subnet Range. Clients are only allowed to con-

nect if the DN mask matches the one in their certificate.

Enable XAUTH (optional): Extended authentication should be enabled to require

authentication of users against configured backends.

Automatic firewall rules (optional): Thisoption is only available with the authentication

type X.509 Certificate. By selecting this option you can automatically add firewall rules

that allow traffic for this connection. The rules are added as soon as the connection is

enabled, and they are removed when the connection is disabled.


3. Click Save.

The new remote access rule appearson the Connections list.

To either edit or delete a remote accessrule, click the corresponding buttons.

UTM 9 WebAdmin 509






16.4.2 Policies

On the Remote Access > IPsec > Policies tab you can customize parameters for IPsec con-

nections and unite them into a policy. An IPsec policy defines IKE (Internet KeyExchange) and

IPsec proposal parameters of an IPsec connection. Note that each IPsec connection needs an

IPsec policy.

Note – Sophos UTM only supportsthe main mode in IKE phase 1. The aggressive mode is

not supported.

To create an IPsec policy, proceed as follows:

1. On the Policy tab, click New IPsec Policy .

The Add IPsec Policy dialog box opens.



IKE encryption algorithm: The encryption algorithm specifies the algorithm used for

encrypting the IKE messages. Supported algorithmsare:

l DES(56 bit)

l 3DES(168 bit)

l AES 128 (128 bit)

l AES 192 (192 bit)

l AES 256 (256 bit)

l Blowfish(128 bit)

l Twofish(128 bit)

l Serpent (128 bit)

Security Note – We strongly recommend against using DES, as it is a weak algorithm,

and therefore representsa potential vulnerability.

IKE authent ication algorithm: The authentication algorithm specifies the algorithm

used for integrity checking of the IKE messages. Supported algorithms are:

510 UTM 9 WebAdmin



l MD5 (128 bit)

l SHA1(160 bit)

l SHA2 256 (256 bit)

l SHA2 384(384 bit)

l SHA2 512 (512 bit)

IKE SA lifetime: Thisvalue specifies the timeframe in seconds for which the IKE SA

(security association) is valid and when the next rekeying should take place. Valid values

are between 60 sec and 28800 sec (8 hrs). The default value is 7800 seconds.

IKE DH group: When negotiating a connection, the communicating parties also settlethe actual keys used to encrypt the data. In order to generate a session key, IKE uses the

Diffie-Hellman (DH) algorithm, which utilizes random data. The random data generation

is based on pool bits. The IKE group basically tells the number of pool bits. The more pool

bits, the larger the random numbers. The larger the numbers, the harder it is to crack the

Diffie-Hellman algorithm. As a consequence, more poolbits mean more securitybut also

the consumption of more CPU resources. Currently, the following Diffie-Hellman groups

are supported:

l Group 1: MODP 768






Security Note – Group 1 (MODP 768) is considered weak and only supported for

interoperability reasons. We strongly recommend against using it, as it represents a

potential vulnerability.

IPsec encryption algorithm: The same encryption algorithmsas for IKE. Additionally

there are the following entries:

l No encryption (null)


UTM 9 WebAdmin 511





l AES192 CTR (192 bit)

l AES256 CTR (256 bit)

l AES128 GCM (96 bit)






Security Note – We strongly recommend against using no encryption or DES, as this

represents a potential vulnerability.

IPsec aut hentication algorithm: The same authentication algorithmsas for IKE. Addi-

tionally there are the following algorithms:

l SHA2 256 (96 bit)

l SHA2 384(96 bit)

l SHA2 512 (96 bit)

Those are available for compliance with tunnel endpoints not adhering to RFC 4868,for

example UTM (i.e., ASG) versions older than V8, and therefore do not support truncated

checksums longer than 96 bit.

IPsec SA lifetime: Thisvalue specifies the timeframe in seconds for which the IPsec SA

is valid and when the next rekeying should take place. Valid valuesare between 60 sec

and 86400 sec (1 day). The default value is 3600 seconds.

IPsec PFS g roup: Perfect Forward Secrecy (PFS) refers to the notion that if a session

key is compromised, it will permit access only to data of this specificsession. In order for

PFS to exist, the key used to protect the IPsec SAmust not be derived from random key-

ing material used to get the keys for the IKE SA. Therefore, PFS initiates a second Diffie-

Hellman key exchange proposing the selected DH group for the IPsec connection to get

a new randomly generated key. Supported Diffie-Hellman groups are the same as for

IKE.

512 UTM 9 WebAdmin





Enabling PFS isconsidered to be more secure, but it takes also more time for the

exchange. It is not recommended to use PFS on slow hardware.

Note – PFS is not fully interoperable with all vendors. If you notice problems during the

negotiation, you might consider disabling PFS.

Strict policy: If an IPsec gateway makes a proposition with respect to an encryption

algorithm and to the strength, it might happen that the gateway of the receiver accepts

this proposition, even though the IPsec policydoes not correspond to it. If you select this

option and the remote endpoint does not agree on using exactly the parameters you spe-

cified, the IPsec connection will not be established. Suppose the IPsec policy of your UTM

requires AES-256 encryption, whereas, for example, a road warrior with SSH Sentinel

wantsto connect with AES-128; with the strict policy option enabled, the connection

would be rejected.

Note – The compression setting will not be enforced via Strict policy .

Compression: This option specifies whether IP packets should be compressed by

means of the IP Payload Compression Protocol (IPComp) prior to encryption. IPComp

reduces the size of IP packetsby compressing them to increase the overall com-

munication performance between a pair of communicating hosts or gateways. Com-

pression is turned off by default.


3. Click Save.

The new policy appears on the Policies list.


16.4.3 Advanced

On the Remote Access > IPsec > Advanced tab you can configure advanced optionsof IPsec

VPN. Depending on your preferred authentication type, you can define the local certificate (for

X.509 authentication) and the local RSA key (for RSA authentication), among other things.

Note that this should only be done by experienced users.

UTM 9 WebAdmin 513





Local X .509 Cert ifi ca te

With X.509 authentication, certificates are used to verify the public keys of the VPN endpoints. If

you want to use this authentication type, you have to select a local certificate from the drop-

down list in the LocalX.509 Certificate area. The selected key/certificate is then used to authen-

ticate the gateway to remote peers if X.509 authentication isselected.

You can only select certificates where the appropriate private key is present, other certificates

are not available in the drop-down list.

If there is no certificate available for selection, you have to add one in the Certificate Man-

agement menu, either by creating a new one or by importing one using the upload function.

After selecting the certificate, enter the passphrase the private key was protected with. During

the saving process, the passphrase is verified and an error message is displayed if it does not

match the encrypted key.

Once an active key/certificate isselected, it is displayed in the Local X.509 Certificate area.

Dead Peer Detect ion DPD)

Use Dead Peer Detection: The dead peer detection option isused for automatically ter-

minating a connection if the remote VPN gateway or client isunreachable. For connections with

static endpoints, the tunnel will be re-negotiated automatically. Connections with dynamic end-

points require the remote side to re-negotiate the tunnel. Usually it issafe to always enable this

option. The IPsec peers automatically determine whether the remote side supports dead peer

detection or not, and will fall back to normal mode if necessary.

NAT Traversal NAT-T)

Use NAT Traversal: Select to enable that IPsec traffic can pass upstream systems which use

Network AddressTranslation (NAT). Additionally, you can define the keepalive interval for NAT

traversal. Click Apply to save your settings.

CRL Handl ing

There might be situations in which the provider of a certificate attempts to revoke the con-

firmation awarded with still valid certificates, for example if it has become known that the

receiver of the certificate fraudulently obtained it by using wrong data (name, etc.) or because

an attacker has got hold of the private key, which is part of the certified public key. For this pur-

pose, so-called Certificate Revocation Lists or CRLsare used. They normally contain the serial

numbers of those certificates of a certifying instance, that have been held invalid and that are stillvalid according to their respective periods of validity.

514 UTM 9 WebAdmin



After the expiration of these periods the certificate will no longer be valid and must therefore not

be maintained in the block list.

Automatic Fetching: This function automatically requests the CRL through the URL definedin the partner certificate via HTTP, Anonymous FTP or LDAP version 3. On request, the CRL

can be downloaded, saved and updated, once the validity period hasexpired. If you use this fea-

ture but not via port 80 or 443, make sure that you set the firewall rules accordingly, so that the

CRL distribution server can be accessed.

Strict Policy: If this option is enabled, any partner certificate without a corresponding CRL will

be rejected.

Preshared Key Probing

For IPsec connections using the respond-onlymode you can decide to use different preshared

keys (PSK) for each IPsec connection.

Enable probing of preshared keys: Select the checkbox to enable this option. This will

affect L2TP-over-IPsec, remote accessIPsec, and VPN IPsec connections.

16.4.4 Debug

IKE Debugging


which types of IKE messages or communication you want to create debug output.




l Control Flow:Displays control messages of IKE state

l Outbound packets:Displays content of outgoing IKE messages

l Inboun d packets:Displays content of incoming IKE messages



UTM 9 WebAdmin 515




16.5 HTML5 VPN Portal 16 Remote Access

16.5 HTML5 VPN PortalThe HTML5 VPN Portalfeature enables users from external networks to access internal

resources via pre-configured connection types, using only a browser as a client, without

installing plug-ins. To do so, the user logs into the User Portalof the UTM where on the HTML5

VPN Portal tab a list of all connectionsavailable to this user is shown. Clicking on the Connect

button initiates the connection to the defined internalresource. As an administrator you have to

generate these connections beforehand, specifying the allowed users, the connection type and

other settings. Internal resources can be accessed using different connection types: either

Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) to access remotedesktops, a browser to use web applications (HTTP/HTTPS), or Telnet/Secure Shell (SSH) for

terminalsessions. However, the HTML5 VPN Portaldoes not permit to download content, e.g.

via HTTP, to the user's local computer.

Using this feature it is possible to give multiple users access to internalr esources which do not

support multi-user access themselves (e.g., network hardware like switches) or easily provide

very granular access to just one specificservice instead of giving access to entire systems or net-

works.

Examples:

l Give access to telephone service company to maintain your telephone system.

l Give access to a specificinternalwebsite, e.g., intranet.

Note – The user's browser has to be HTML5-compliant. The following browsers support the

HTML5 VPN feature: Firefox 6.0 onwards, Internet Explorer 10 onwards, Chrome, Safari5

onwards (on MAC only).

16.5.1 Global

On the Remote Access> HTML5 VPN Portal> Global tab you can activate the HTML5 VPN

Portal and manage the respective VPN Portalconnections. Note that the number of con-

nectionsis limited to 100. For the allowed users, the enabled connectionsare available on the

HTML5 VPN Portal tab of the User Portal.

To activate the HTML5 VPN Portal and create a new HTML5 VPN connection, proceed as fol-

lows:

516 UTM 9 WebAdmin



1. Enable the HTML5 VPN Portal.


The toggle switch turns green and the elementson the page become editable. All exist-ing, enabled connectionswill now be visible in the User Portalof the allowed users.

2. Click the New HTML5 VPN Portal Connection button.

The Add HTML5 VPN Portal Connection dialog box opens.



Connection type: Select the connection type. Depending on the selected connection

type, different parameters are displayed. The following types are available:

l Remote Desktop: Remote accessusing the Remote Desktop Protocol (RDP),

e.g., to open a remote desktop session to a Windows host.

l Webapp (HTTP): Browser-based accessto web applications via HTTP.

l Webapp (HTTPS): Browser-based access to web applications via HTTPS.

Note – The URL used for the HTTP/HTTPS connection is composed of the

Destination,the Port and the Path options for this connection. The web applic-

ation hasto be compatible with Mozilla Firefox (version 6.0 onwards).

l Telnet: Terminal access using the Telnet protocol, e.g., to give access to a switch

or a printer.

l SSH: Terminal access using SSH.

l VNC: Remote accessusing Virtual Network Computing (VNC), e.g., to open a

remote desktop of a Linux/Unix host.

Note – Currently onlyVNC classic authentication (password only) is supported.

Make sure your server is set up accordingly.

Destination: Select or add the host which allowed users should be able to connect to.


Network Definitions page.

UTM 9 WebAdmin 517

16 Remote Access 16.5 HTML5 VPN Portal



16.5 HTML5 VPN Portal 16 Remote Access

Note – If the selected destination host supplies a self-signed certificate, make sure that

the CN (Common Name) of the certificate matches your destination hostname. Other-

wise the user will get a certificate warning in the portal browser. If you e.g. use a DNS

host www.mydomain.com, make sure that the self-signed certificate contains this

name. If you use a host instead of a DNS host, make sure that the self-signed certificate

contains the host's IP address as a Subject Alternative Name.

Path (only with connection types Webapp): Enter the path which allowed users should

be able to connect to.

Username (only with connection type SSH ): Enter the username the user should use toconnect.

Automatic login/Automatic login (Basic Auth): If enabled, userscan log in without

knowing the authentication data. In this case, you have to provide the authentication

data. The displayed options depend on the selected connection type:

l Username: Enter the username users should use to connect.

l Password: Enter the password users should use to connect.

Note – When using the connection type Telnet , for security reasons automatic

login onlyworks when the banner length sent from the Telnet server does not

exceed 4096 characters (including the password prompt). If the banner is

longer, automatic login fails. In this case reduce the banner length or switch to

manual login.

l Authent ication method (only with connection type SSH ): Select the SSH

authentication method. You can either provide the Password for the selected user-

name or add the Private SSH key for the SSH connection.

SSL host certificate (only with connection type HTTPS): Add the SSL host securitycer-

tificate to identify the destination host.

l SSL certificate: Click the Fetch button to automatically add the certificate of the

selected destination host.

Public host key (only with connection type SSH ): Add the public keyof the SSH host.

l SSH public key:Click the

Fetchbutton to automatically retrieve the SSH public

key of the selected destination host.

518 UTM 9 WebAdmin



Allowed users (User Portal): Select the users or groups or add the new users that

should be allowed to use the VPN Portal connection. By default, only one user can use a

connection at the same time. If you want the users to share a session simultaneously,select the Shared session checkbox in the Advanced section. How to add a user is

explained on the Definitions & Users > Users & Groups > Users page.

Note – When you add a group with backend membership, make sure that the group is

also allowed for the User Portal. On the Management > User Portal > Global tab, either

select Allow all users or Allow only specific usersand explicitly add the group. If you only

allow individualgroup membersfor the User Portal, they will not be provided the con-

nections allowed for the group.



Port: Enter a port number for the connection. By default the standard port of the selec-

ted connection type is selected.

Protocol security (only with connection type Remote Desktop): Select the security pro-

tocol for the Remote Desktop session. You can choose between RDP, TLS and NLA

(Network Level Authentication). Your settings have to comply with the server settings.

NLA requires to enable Automatic login above.

Share session: Select this option to allow users to use the connection simultaneously

and see the same screen.

Allow external resources (only with connection types Webapp (HTTP/S)): Enter addi-

tional resources that are allowed to be accessed via this connection. This is useful if for

example images or other resources are stored on a different server than the webpage

itself. For the selected host(s) or network ranges port 80 and 443 will be allowed.

5. Click Save.

The new connection appearson the Connections list.

6. Enable the connection.

Click the toggle switch to activate the connection.

The connection is now available for the allowed users. It islocated on the HTML5 VPN

Portal tab of the User Portal.

To either edit or delete a connection, click the corresponding buttons.

UTM 9 WebAdmin 519

16 Remote Access 16.5 HTML5 VPN Portal



16.6 Cisco VPN Client 16 Remote Access

16.6 Cisco VPN ClientSophos UTM supportsIPsec remote access via Cisco VPN Client. The Cisco VPN Client is an

executable program from Cisco Systems that allows computers to connect remotely to a Virtual

Private Network (VPN) in a secure way.

16.6.1 Global

On the Remote Access> Cisco VPN Client > Global tab you can configure basicoptions for set-

ting up remote access via Cisco VPN Client.

To configure Sophos UTM to allow Cisco VPN Client connections, proceed as follows:

1. On the Global tab enable Cisco VPN Client.


The toggle switch turns amber and the Server Settings area becomes editable.


Interface: Select an interface to be used for Cisco VPN Client connections.

Server certificate: Select the certificate with which the server identifies itself to the cli-

ent.

Pool network: Select a network pool to choose virtual network addresses from to

assign them to connecting clients. By default VPN Pool (Cisco) is selected.


VPN tunnel. How to add a definition is explained on the Definitions& Users > Network


Users and groups: Select users or user groups, or add users that are allowed to con-

nect to the UTM via Cisco VPN Client. How to add a user is explained on the Definitions &

Users> Users& Groups> Users page.

Automatic firewall rules (optional): By selecting this option you can automatically add

firewall rules that allow traffic for this connection. The rules are added as soon as the con-

nection is enabled, and they are removed when the connection isdisabled.

3. Click Apply .


520 UTM 9 WebAdmin



L ive Log

Use the live log to track connection logsof the IPsec IKE daemon log. It shows information on

establishing, upkeeping, and closing connections.

16.6.2 iOS Devices

You can enable that iOS device users are offered automatic Cisco IPsec configuration in the

User Portal.



Connection name: Enter a descriptive name for the Cisco IPsec connection so that iOS

device users mayidentify the connection they are going to establish. The default name is your

company name followed by the protocol Cisco IPsec.

Note – Connection Name must be unique among all iOS device connection settings (PPTP,


Override hostname: In case the system hostname cannot be publicly resolved by the client,you can enter a server hostname here that overridesthe internal preference of the DynDNS


Establish VPN connection on demand: Select this option to automatically initiate a VPN

connection whenever the location matches one of the hostnames or domains listed in the box.

l Match domain or host: Enter the domains or hostnames for which you want to estab-

lish VPN connections on demand. Thiscould be your local intranet, for example.

l

Establish only when DNS lookup fails: By default, the VPN connection isonly estab-lished after a DNS lookup has failed. If unselected, the VPN connection is established

regardless of whether the hostname can be resolved or not.

Note that connecting iOS devices get presented the server certificate specified on the Global

tab. The iOS device checks whether the VPN ID of this certificate corresponds to the server host-

name and refuses to connect if they differ. If the server certificate uses Distinguished Name as

VPN ID Type it compares the server hostname with the Common Name field instead. You need

to make sure the server certificate fulfills these constraints.


UTM 9 WebAdmin 521

16 Remote Access 16.6 Cisco VPN Client



16.7 Advanced 16 Remote Access


16.6.3 DebugIKE Debugging


which typesof IKE messages or communication you want to create debug output.




l Control Flow:Displayscontrol messages of IKE state

l Outbound packets: Displays content of outgoing IKE messages

l Inbound packets:Displays content of incoming IKE messages



16.7 AdvancedOn the Remote Access > Advanced page you can make the advanced configurationsfor

remote access clients. The IP addresses of the DNS and WINS servers you enter here are

provided for the use of remote access clients while establishing a connection to the gateway,

thusproviding full name resolution for your domain.

DNS Server: Specify up to two DNS servers of your organization.

WINS Server: Specify up to two WINS servers of your organization. Windows Internet Naming

Service (WINS) is Microsoft'simplementation of NetBIOS Name Server (NBNS) on Windows

operating systems. Effectively, WINS is to NetBIOS names what DNS is to domain names—a

central mapping of hostnames to IP addresses.

Domain Name: Enter the hostname of your UTM as a fullyqualified domain name (FQDN).

The fully qualified domain name is an unambiguous domain name that specifies the node's abso-

lute position in the DNS tree hierarchy, for example utm.example.com. A hostname may

522 UTM 9 WebAdmin



contain alphanumeric characters, dots, and hyphens. At the end of the hostname there must be

a special designator such ascom, org, or de. The hostname will be used in notification mes-

sages to identify UTM.

Note – For PPTP and L2TP over IPsec the domain name cannot be distributed automatically,

but needs to be configured on the client side.

With iOS devices using Cisco VPN Client , the DNS servers specified above are only used to

resolve hosts that belong to the specified domain.

16.8 Certificate ManagementUsing the Remote Access > Certificate Management menu, which contains the same con-

figuration options as the Site-to-site VPN > Certificate Management menu, you can manage all

certificate-related operations of Sophos UTM. This includes creating or importing X.509 cer-


16.8.1 Certificates

See Site-to-site VPN > Certificate Management > Certificates.


See Site-to-site VPN > Certificate Management > Certificate Authority .


See Site-to-site VPN > Certificate Management > Revocation Lists (CRLs).

16.8.4 Advanced

See Site-to-site VPN > Certificate Management > Advanced .

UTM 9 WebAdmin 523

16 Remote Access 16.8 Certificate Management





17 Logging & ReportingThischapter describes the logging and reporting functionality of Sophos UTM.

SophosUTM provides extensive logging capabilities by continuously recording various system

and network protection events. The detailed audit trail provides both historical and current ana-

lysis of various network activities to help identify potential securitythreats or to troubleshoot

occurring problems.

The reporting function of Sophos UTM providesreal-time information of its managed devices

by collecting current log data and presenting it in a graphical format.

The Log Partition Status page in WebAdmin shows the status of the log partition of your Sophos

UTM unit, including information about the diskspace left and fillup rate as well as a four-week

histogram of the log partition utilization. As the fillup rate is the difference between the meas-

urement point and the starting point divided by the time elapsed, the value is somewhat inac-

curate in the beginning but becomes more precise the longer the system is up.


l View Log Files

l Hardware

l Network Usage

l Network Protection

l Web Protection

l Email Protection

l Remote Access


l Executive Report

l Log Settings

l Reporting Settings



17 Logging & Reporting

Reporting ChartsSophos UTM displays reporting data in line charts and pie charts. Due to their interactivity,

those charts allow a fine-grained accessto information.

Line Charts

Interacting with line charts is easy: When hovering the mouse cursor on a chart a big dot will

appear, which gives detailed information of this part of the chart. The dot is clung to the line of

the chart. As you move the mouse cursor the dot follows. In case a chart hasseveral lines, thedot switches between them according to where you move the mouse cursor. Additionally, the

dot changes its color depending on which line its information refer to, which is especially useful

with lines running close to each other.

Figure 31 Reporting: Example of a Line Chart

Pie Charts

Similar to line charts, you can interact with pie charts: Direct the mouse cursor to a piece of a pie

chart. This piece will immediatelybe extracted from the rest of the pie, the tooltip showing

detailed information of the extracted piece.

Figure 32 Reporting: Example of a Pie Chart

526 UTM 9 WebAdmin



17.1 View Log FilesThe Logging & Reporting > View Log Files menu offers the possibility to view different kind of log

files and to search in log files.

17.1.1 Today's Log Files

On the Logging & Reporting > View Log Files > Today's Log Files tab all current logscan easily

be accessed.

This tab providesvarious actionsthat can be applied to all log files. The following actionsare

available:

l Live Log: Opens a pop-up window allowing you to view the log file in real-time. New

lines are added to the log file on the fly. If you select Autoscroll , the pop-up window will

automatically scrolldown to always display the most recent log. In addition, the pop-up

window also contains a filter text boxthat allows you to limit the display of new logsto only

those recordsthat match the filter.

l

View: Opensa pop-up window that shows the log file in its current state.

l Clear: Deletes the contents of the log file.

Using the drop-down list in the table footer, you can either download selected log files as a zip

file or clear their contents simultaneously.

17.1.2 Archived Log Files

On the Logging & Reporting > View Log Files > Archived Log Files tab you can manage the log

file archive. All log files are archived on a dailybasis. To access an archived log file, select the

subsystem of Sophos UTM for which logs are written as well as a year and month.

All available log files that match your selection will be displayed in chronologicalorder. You can

either view the archived log file or download it inzip file format.

Using the drop-down list in the table footer, you can either download selected log files as a zip

file or delete them simultaneously.

UTM 9 WebAdmin 527

17 Logging & Reporting 17.1 View Log Files



17.2 Hardware 17 Logging & Reporting

17.1.3 Search Log Files

The tab Logging & Reporting > View Log Files > Search Log Files enables you to search

through your local log files for varioustime periods. First, select the log file you want to search

through, then enter the search term and select the time range. If you select Custom Time

Frame from the Select Time Frame list, you can specify a start and end date. After clicking the

Start Search button, a popup window will open presenting the results of your query. Depending

on your browser it may be necessary to allow pop-up windows for WebAdmin.

If you select Web Filtering or Endpoint Web Protectionfrom the Select log file to search list, you

get 3 more filter categories. You can search for specific User , URL and Action

l User: Search for a full username in the logs.

l URL: Search for the substring match of a URL.

l Action: Dropdown list with all kinds of possible actions.

Note - If you select thecheckbox under the Search term, you can optionally do the same

search on Web Filtering and Endpoint Protection at the same time.

17.2 HardwareThe Logging & Reporting > Hardware menu provides overview statistics about the utilization of

hardware componentsfor several time periods.

17.2.1 Daily

The Hardware > Daily tab provides overview statistics about the following hardware com-

ponents of the last 24 hours:

l CPU Usage

l Memory/Swap Usage

l Partition Usage

CPU Usage: The histogram displaysthe current processor utilization in percent.

Memory/Swap Usage: The utilization of memory and swap in percent. The swap usage heav-

ily depends on your system configuration. The activation of system services such as Intrusion

528 UTM 9 WebAdmin



Prevention or the proxy servers will result in a higher memory usage. If the system runs out of

free memory, it willbegin to use swap space, which decreases the overall performance of the

system. The used swap space should be as low as possible. To achieve that, increase the total

amount of memory available to your system.

Partition Usage: The utilization of selected partitions in percent. All charts show three graphs,

each representing one hard disk drive partition:

l Root: The root partition is the partition where the root directory of Sophos UTM is loc-

ated. In addition, this partition stores update packages and backups.

l Log: The log partition is the partition where log files and reporting data is stored. If you

run out of space on this partition, please adjust your settings under Logging & Reporting

> Log Settings > LocalLogging .

l Storage: The storage partition is the partition where proxy services store their data, for

example imagesfor the Web Filter, messages for the SMTP proxy, quarantined mails

and the like. In addition, the database, temporary data, and configuration files are located

there.

17.2.2 Weekly

The Hardware > Weekly tab provides overview statistics about selected hardware components

for the last seven days. The histogramsare described in the Daily section.

17.2.3 Monthly

The Hardware > Monthly tab provides overview statistics about selected hardware components

for the last four weeks. The histogramsare described in the Daily section.

17.2.4 Yearly

The Hardware > Yearly tab provides overview statistics about selected hardware components

for the last twelve months. The histograms are described in the Daily section.

17.3 Network UsageThe tabsof the Logging & Reporting > Network Usage menu provide overview statistics about

the traffic passing each interface of Sophos UTM for several time periods. Each chart presents

UTM 9 WebAdmin 529

17 Logging & Reporting 17.3 Network Usage



17.3 Network Usage 17 Logging & Reporting

its data using the following units of measurement:

l u (Micro, 10-6)

l m (Milli, 10-3)

l k (Kilo, 103)

l M (Mega, 106)

l G (Giga, 109)

Note that the scaling can range from 10-18 to 108.

17.3.1 DailyThe Network Usage > Daily tab provides overview statistics about the traffic passing each con-

figured interface of the last 24 hours.

Each histogram shows two graphs:

l Inbound: The average incoming traffic for that interface, in bits per second.

l Outbound: The average outgoing traffic for that interface, in bits per second.

The Concurrent Connections chart shows you the total of concurrent connections.

17.3.2 Weekly

The Network Usage > Weekly tab provides overview statistics about the traffic passing each con-

figured interface of the last seven days. The histograms are described in the Daily section.

17.3.3 Monthly

The Network Usage > Monthly tab provides overview statistics about the traffic passing each

configured interface of the last four weeks. The histograms are described in the Daily section.

17.3.4 Yearly

The Network Usage > Yearly tab provides overview statistics about the traffic passing each con-

figured interface of the last twelve months. The histograms are described in the Daily section.

530 UTM 9 WebAdmin



17.3.5 Bandwidth Usage

The Network Usage > Bandwidth Usage tab presents comprehensive data about the network

traffic which was transferred to/from and through the device.

From the first drop-down list, select the type of data to display, e.g., Top Clients or T op Services

By Client . Select the desired entry, and, if an additionalbox is displayed, specify the respective fil-

ter argument. Additionally, using the drop-down list below, you can filter the entries by time.

Alwaysclick Update to apply the filters.

On the By Client and By Server views you can manually provide an IP/Network, as well as net-

work ranges (e.g.,192.168.1.0/24 or 10/8). On the By Services views you can enter protocol

and service, separated by comma (e.g., TCP,SMTP , UDP,6000 ). If you do not supply the pro-

tocol, TCP will be assumed (e.g. HTTP is also valid).

On the Top Clients and Top Servers views, if an IP or a hostname is clicked in the result table , it

will automatically be used as a filter for the Top Services By Client or Top Services By Server

view. On the Top Services, Top Applications,and Top Application Categories views, if you click

a service, an application, or an application category in the result table, it will automatically be

used as a filter for the Top Clientsby Service, Top Clients by Application, or Top Clientsby Cat-

egory view.

Top Applications/Top Application Categories: If Application Controlis turned off, net-

work trafficwill be displayed as "unclassified". If Application Control isactive, network traffic will

be displayed by type, e.g. "WebAdmin", "NTP", "facebook", etc. For more information on Applic-

ation Control see chapter Web Protection > Application Control .

Please note that the labels IN and OUT for traffic may vary depending on the point of view.

When running in proxy mode, the client connects to port8080on UTM (even in transparent

mode), so data sent by the client (the request) is seen as incoming traffic and the data sent tothe client (the response) isseen as outgoing traffic on the internal interface.

By default, 20 entries per page are displayed. If there are more entries, you can jump forward

and backward using the Forward and Backward icons, respectively. In the Number of rows

drop-down list, you can increase the number of entries displayed per page.

You can sort all data by clicking the table column headers. For example, if you want to sort all

hosts by incoming traffic, click on IN in the table heading. Thus, hosts causing the most incoming

traffic will be listed first. Note that the data for traffic isgiven in kibibytes (KiB) and mebibytes

UTM 9 WebAdmin 531

17 Logging & Reporting 17.3 Network Usage



17.4 Network Protection 17 Logging & Reporting

(MiB), both of which are base-2 units of computer storage (e.g., 1 kibibyte = 210 bytes = 1 024

bytes).

You can download the data in PDF or Excel format by clicking one of the corresponding icons inthe top right corner of the tab. The report is generated from the current view you have selected.

Additionally, by clicking the Pie Chart icon—if present—you can get a pie chart displayed above

the table.

17.4 Network ProtectionThe tabsof the Logging & Reporting > Network Protection menu provide overview statistics

about relevant network protection events detected by Sophos UTM.

17.4.1 Daily

The Network Protection > Daily tab provides overview statistics about the following events of the

last 24 hours:

l Firewall Violations

l Intrusion Prevention Statistics

Firewall Violations: Every data packet that is dropped or rejected is counted as a firewall viol-

ation. The number of firewall violations iscalculated over a time span of five minutes.

Intrusion Prevention Statistics: All charts show two graphs:

l Alert Events: The number of data packetsthat triggered an intrusion alert.

l Drop Events: The number of data packetsthat where dropped by the intrusion pre-

vention system.

17.4.2 Weekly

The Network Protection > Weekly tab provides overview statistics about firewall violations and

intrusion prevention events of the last seven days. The histograms are described in the Daily

section.

532 UTM 9 WebAdmin



17.4.3 Monthly

The Network Protection > Monthly tab provides overview statistics about firewall violations and

intrusion prevention events of the last four weeks. The histograms are described in the Daily sec-

tion.

17.4.4 Yearly

The Network Protection > Yearly tab provides overview statistics about firewall violations and

intrusion prevention events of the last twelve months. The histograms are described in the Daily

section.

17.4.5 Firewall

The Network Protection > Firewall tab presents comprehensive data about the firewall activity,

classified according to source IP, source hosts, number of received packets and number of ser-

vices.

Note – Packetswith a TTL less than or equal to one are dropped without being logged.

From the first drop-down list, select the type of data to display, e.g., Top Source Hosts or Top

Services By Destination. Select the desired entry, and, if an additional box is displayed, specify

the respective filter argument. Additionally, using the drop-down list below, you can filter the

entries by time. Always click Update to apply the filters.

On the By Source and By Destination views you can manually provide an IP/Network, as well as

network ranges(e.g.,192.168.1.0/24 or 10/8). On the By Service views you can enter pro-

tocol and service, separated by comma (e.g., TCP,SMTP or UDP,6000 ).

On the Top Source Hosts and Top Destination Hosts views, if you click an IP or a hostname in

the result table, it will automatically be used as a filter for the Top Services By Source or Top Ser-

vices By Destination view. On the Top Services view, if you click a service in the result table, it will

automatically be used as a filter for the Top Source Host By Services view.




You can sort all data by clicking the table column headers.

UTM 9 WebAdmin 533

17 Logging & Reporting 17.4 Network Protection



17.4 Network Protection 17 Logging & Reporting

You can download the data in PDF or Excel format by clicking one of the corresponding icons in

the top right corner of the tab. The report is generated from the current view you have selected.


the table.

17.4.6 Advanced Threat Protection

The Network Protection > Advanced Threat Protection tab presentscomprehensive data about

advanced threats in your network.

From the first drop-down list, select the type of data to display, e.g., Recent Infections or Recent

Infections by Host . Select the desired entry, and, if an additional box is displayed, specify the

respective filter argument. Additionally, using the drop-down list below, you can filter the entries

by time. Always click Update to apply the filters.

On the Recent Infected by Malware and Recent Infections by Malware views you can manually

filter a specificthreat. On the Recent Infections by Host views you can manuallyfilter a specific

host.








the table.

17.4.7 IPS

The Network Protection > IPS tab presentscomprehensive data about intrusion prevention

activitieson your network.

From the first drop-down list, select the type of data to display, e.g., Top Source Hosts or Top

Destinations By Source. Select the desired entry, and, if an additional box is displayed, specify



534 UTM 9 WebAdmin




network ranges(e.g.,192.168.1.0/24 or 10/8). On the Top Source Hosts or Top Destin-

ations Hosts views, if you clickan IP in the result table, it will automatically be used as a filter for

the Top Destinations by Source or Top Sources by Destinationview.








the table.

17.5 Web ProtectionThe tabsof the Logging & Reporting > Web Protection menu provide overview statistics about

the most active web users and most frequently visited websites.

17.5.1 Web Usage Report

The Logging & Reporting > Web Protection > Web Usage Report page is a mightytoolwhen

you want to take a deeper look into your network traffic and your users' web usage. At a first

glance, this page looks very complicated, but the best way to start is to use it and learn from the

results.

Web Surfing Data StatisticsThe collection of web surfing data is session-based. The UTM distinguishes between sessions

per user ('How long has this user been surfing?') and sessions per user and domain ('How long

hasthis user been surfing on this domain?'), where the domain is the top-level domain plus one

significant level. To achieve good approximations, all data isgathered as follows: each web

request islogged by taking the traffic volume and the duration between requests into account. If

for a period of five minutes of inactivity no requests are recorded for a session, the session is con-

sidered closed. To take into account that users might still view a webpage within five minutes of

inactivity, one minute isalways added to the Time Spent values. Note further that reporting data

is updated every 15 minutes.

UTM 9 WebAdmin 535

17 Logging & Reporting 17.5 Web Protection



17.5 Web Protection 17 Logging & Reporting

Thus, if a user for example switchesbetween two domains for 10 minutes, thiswill result in a

totalof 10 minutesfor this user but 20 minutes for the domains surfed by this user. However, if

the user uses different tabs or browsers to surf on the same domain, this will not influence the

result.

When clients try to request invalid URLs, the Web Filter will log the request but will not be able to

serve it. Those links will be counted as errors. They are not errors of the reporting or the Web Fil-

ter; in most cases, those errors occur because invalid or malformed links are placed in web con-

tent by the page creator.

Page Structure

Header Bar

First there is the header bar which consists of the following elements:

l Home: This icon takes you back to the beginning, clear of any clicks or filters.

l Forward/Backward: Use these icons to move back and forth along the history of your

changes and settings. It works like in every web browser.

l Available Reports: This drop-down list contains all available report types including, if

existent, your saved reports. It is set to Sites by default. The result table of the Web

Usage Report page is directlydependent on this reporting type setting.

Note – When using filters and clicking through reports notice how the Available

Reports setting changes automatically. It always reflects the current reporting basis.

Standard: There are several report types available, see below for a detailed description.

Saved Web Repo rts: Here you can select saved web reports you created in the past.

l Delete: Clickthis icon to delete a saved web report. Standard reports cannot be deleted.

l Save: Click this icon to save a current view to be able to access this view easilyin the

future. It will be stored in the Available Repor ts drop-down list.

Fil ter Bar

Next there is the filter bar which consists of the following elements:

l Plus: Click this icon to create additionalfilters, see below for a detailed description.

l

Amount: Use the drop-down list to reduce the amount of results in the table. You canlimit the resultsto the top 10, top 50, or top 100 results.

536 UTM 9 WebAdmin



l Time: Use the drop-down list to limit or expand the results in the table to certain time

frames. The Custom timeframe allows you to specify your own timeframe.

l Departments: Use the drop-down list to limit the results in the table to defined depart-

ments. Departments can be created on the Departments page.

You can download the data in PDF or Excel format by clicking one of the corresponding icons on

the right of the filter bar. The report is generated from the current view you have selected. Addi-

tionally, by clicking the Pie Chart icon you can get a pie chart displayed above the table. If you

click the Send icon, a dialog window opens where you can enter one or more email recipients

who should receive this report as well as a subject and a message before sending the data. You

can also receive saved reports on a regular basis, see section Scheduled Reports for more

information.

Results Table

Last, there isthe results table. What you see here depends firstly on the selected report type

(always reflected at Available Reports list) and secondly on possibly defined filters.

Note – When anonymization is enabled, users are not displayed by their name or IP address

but they appear enumerated instead.

Depending on the report type, the table providesdifferent information:

Users Categories Sites Domains URLs Overrides

#

Traffic

%

Duration

Pages

Requests

User

Site

Categories*

Action*

UTM 9 WebAdmin 537





Users Categories Sites Domains URLs Overrides

Reason*

Info*

* = Those cells can be clicked to further drill-down information.

#: Position with regard to trafficcaused.

Traffic: Size of trafficcaused.

%: Percentage on overall traffic.

Duration: Users report type: time spent by user(s). Sites report type: total time (sum over all

users) spent on the website(s).

Pages: Number of pages (that is, all requests answered with code 200 and content-type tex-

t/html) requested.

Requests: Number of web requests for a category, site, domain, or URL.

User: Name of the user who bypassed blocking. If anonymization is enabled, user_# is dis-

played.

Site: Site for which blocking was bypassed.

Categories: Shows all categories a URL belongs to. With more than one category, clicking the

category opens a small dialog field to select one of the categories from before a filter is created

based on that category.

Action: Displays whether the website has been delivered to the client ( passed ), whether it has

been blocked by an application control rule, or whether a user gained access to a blocked page

using the bypass blocking feature (overridden).

Reason: Displays why a website request has been blocked or overridden. Example: A user tries to download anmsi file and there isan application control rule which prohibits file transfers,

then the cell displays msi for reason. In case of an overridden page, the reason entered by the

user is displayed.

Info: If available, this cell displays additional information to why a website request has been

blocked, e.g. when a file download was blocked due to its extension then the cell says extension.

538 UTM 9 WebAdmin



Defining Filters

Filters are used to drilldown the information displayed in the result table. They can be defined intwo different ways: either by clicking the Plus icon in the Filter Bar or by clicking into the table.

Via Plus icon: After clicking the green Plus icon in the Filter Bar a small filter box with two fields is

displayed. The first field, a drop-down list, letsyou choose a report type, for example Category .

The second field letsyou choose or enter a value for the selected report type, e.g. Adult Topics

when Category is selected. Click Save to save the filter and at the same time apply it to the result

table.

Via table: Clicking into the table opens a dialog window Reporting Direction if there is more than

one report type available for the item you clicked. You need to select one of the presented

options for filtering. After that the Reporting Direction window closes, the relevant filter is cre-

ated and displayed in the Filter Bar. The results table now shows the newly filtered results.

Example: The default report of the Web Usage Report is Sites. In the results table you click on

anyrow (e.g. amazon.com). The Reporting Direction window opens and gives you three

options: either you want to see information on Domains for the site, on Users who visited the

site, or on Categories the site belongs to. You see that severalusers visited amazon.com and

you want to know more about this, so you click the Users box. The window closes. In the Header Bar you see that the report type changed to Users and in the Filter Bar you see that the result

table for Users is filtered by the site you selected (amazon.com). Therefore the table shows all

users who visited that site and additionally information on their sessions.

Note – Sometimesit makes a difference where you click into a table row as some table cells

provide their own filter (see the items with an asterisk (*) in the section Results Table above).

17.5.2 Search Engine Report

The Logging & Reporting > Web Protection > Search Engine Report page provides information

on search engines used by your users and searchesthey made. At a first glance, this page looks

verycomplicated, but the best way to start is to use it and learn from the results.

Page Structure

Header Bar

First there is the header bar which consists of the following elements:

UTM 9 WebAdmin 539





l Home: This icon takes you back to the beginning, clear of any clicks or filters.

l Forward/Backward: Use these icons to move back and forth along the history of your

changes and settings. It works like in every web browser.

l Available Reports: This drop-down list contains all available report types including, if

existent, your saved reports. It is set to Searches by default. The result table of the

Search Engine Report page isdirectly dependent on this reporting type setting.

Note – When using filters and clicking through reports notice how the Available

Reports setting changes automatically. It always reflects the current reporting basis.

Standard: There are three report typesavailable, see below for a detailed description.

Saved Search Engine Reports: Here you can select saved search engine reports you

created in the past.

l Delete: Clickthis icon to delete a saved search engine report. Standard reports cannot

be deleted.

l Save: Click this icon to save a current view to be able to access this view easilyin the

future. It will be stored in the Available Repor ts drop-down list.

Fil ter Bar

Next there is the filter bar which consists of the following elements:

l Plus: Click this icon to create additionalfilters, see below for a detailed description.

l Amount: Use the drop-down list to reduce the amount of results in the table. You can

limit the resultsto the top 10, top 50, or top 100 results.

l Time: Use the drop-down list to limit or expand the results in the table to certain time

frames. The Custom timeframe allows you to specify your own timeframe.

l Departments: Use the drop-down list to limit the results in the table to defined depart-

ments. Departments can be created on the Departments page.

You can download the data in PDF or Excel format by clicking one of the corresponding icons on

the right of the filter bar. The report is generated from the current view you have selected. Addi-

tionally, by clicking the Pie Chart icon you can get a pie chart displayed above the table. If you

clickthe Send icon, a dialog window opens where you can enter one or more email recipients

who should receive thisreport as well as a subject and a message before sending the data. You

can also receive saved reports on a regular basis, see section Scheduled Reports for moreinformation.

540 UTM 9 WebAdmin



Results Table

Last, there isthe results table. What you see here depends firstly on the selected report type

(always reflected at Available Reports list) and secondly on possibly defined filters. The fol-

lowing report types are available:

l Searches: Displaysthe search terms your users used.

l Search Engines: Displays the search engines your users used.

l Users Searches: Displays the users who did searches.

Note – When anonymization is enabled, users are not displayed by their name or IP address

but they appear enumerated instead.

For each report type, the table provides the following information:

#: Position with regard to frequency.

Requests: Number of requests for a search term, for a search engine, or by a user.

%: Percentage on overall searches.

Defining Filters

Filters are used to drilldown the information displayed in the result table. They can be defined in

two different ways: either by clicking the Plus icon in the Filter Bar or by clicking into the table.

Via Plus icon: After clicking the green Plus icon in the Filter Bar, a small filter box with two fields is

displayed. The first field, a drop-down list, letsyou choose a report type, for example Search

Engine. The second field letsyou choose or enter a value for the selected report type, e.g.

Google (google.com) when Search Engine is selected. Click Save to save the filter and at the

same time apply it to the result table. Search terms are case insensitive and support wildcards:

'*' to match zero or more charactersand '?' to match one character.

Via table: Clicking into the table opens a dialog window Reporting Direction if there is more than

one report type available for the item you clicked. You need to select one of the presented

options for filtering. After that the Reporting Direction window closes, the relevant filter is cre-

ated and displayed in the Filter Bar. The results table now shows the newly filtered results.

Example: The default report of the Search Engine Report is Searches. In the results table you

click on any row (e.g. weather). The Reporting Direction window opens and gives you twooptions: either you want to see information on the search enginesused for the search (Search

UTM 9 WebAdmin 541





Engines) or on users who searched for this term (Users Searches). You see that several users

searched for weather and you want to know more about this, so you click the Users Searches

box. The window closes. In the Header Bar you see that the report type changed to Users

Searches and in the Filter Bar you see that the result table for Users Searchesis filtered by the

search you selected (weather). Therefore the table shows all users who searched for weather

and additionally information on those searches.

17.5.3 Departments

On the Logging & Reporting > Web Protection > Departments page you can group usersor

hosts and networks to virtual departments. Those departments can then be used to filter web

usage reports or search engine reports.

To create a department, proceed as follows:

1. On the Departments tab, click Add Department .

The Add New Department dialog box opens.

2. Enter a name.

In the Name field, enter a descriptive name for the department.

3. Add users or hosts/networks. A department definition can only contain users or hosts/networks, not both types at the

same time.

l Users: Add one or more users to the box who should be part of this department.

l Hosts/Networks: Add one or more hosts or networks to the box which should be

part of this department.


4. Click Save.The new department appearson the Departments list.

To either edit, delete, or clone a department click the corresponding buttons.

For information on usage of departments please see sections Web Usage Report and Search

Engine Report .

542 UTM 9 WebAdmin



17.5.4 Scheduled Reports

On the Logging & Reporting > Web Protection > Scheduled Reports page you define which of

your saved reports you would like to send by email on a regular basis. Before you can create a

scheduled report, you need to have a least one saved report (for more information on saving

reports see sections Web Usage Report or Search Engine Report ).

To create a scheduled report, proceed as follows:

1. On the Scheduled Reports tab, click Add Scheduled Report .

The Add New Scheduled Report dialog box opens.


Name: Enter a descriptive name for the scheduled report.

Interval: Select an interval from the drop-down list at which the report(s) should be sent.

Reports: All saved reports are listed here. Select the checkbox in front of each report

that should be sent at the selected interval.

Recipients: Add recipients to the box who should receive the selected report(s). Note

that you can add a list of recipients via the import button.


3. Click Save.

The new scheduled report appears on the Scheduled Reports list.

To either edit, delete, or clone a scheduled report, click the corresponding buttons. Use the

toggle switch of a report to disable sending of reports without deleting the scheduled report

itself.

17.5.5 Application Control

The Logging & Reporting > Web Protection > Application Control page contains comprehensive

statistics about the most active sources, most frequently visited destinations, and the most pop-

ular applications given for various time ranges.

From the first drop-down list, select the type of data to display, e.g., Top Sourcesor Top Applic-

ations. Select the desired entry, and, if an additionalbox is displayed, specify the respective filter

argument. Additionally, using the drop-down list below, you can filter the entries by time. Alwaysclick Update to apply the filters.

UTM 9 WebAdmin 543






network ranges (e.g., 192.168.1.0/24 or 10/8). On the By Service views you can enter pro-

tocol and service, separated by comma (e.g., TCP,SMTP or UDP,6000 ).

On the Top Sourcesview, if you clickan IP or a hostname in the result table, it will automatically

be used as a filter for the Top Applications by Source view. On the Top Applicationsand Top

Application Categor ies views, if you click an application or application category in the result

table, it will automatically be used as a filter for the Top Sources by Application or Top Sources

by Application Category view.








the table.

The most active sources do not appear immediatelyin the table, but only after a session timeout

had occurred. This is the case if a certain client (username or IP address) has ceased to surf theweb for five minutes. The UTM determinesthis surfing session as "dead" and sends it to a data-

base before it gets displayed on the most active sources list.

17.5.6 Deanonymization

The Web Protection > Deanonymization tab is only accessible if anonymization is activated (see

Logging & Reporting > Reporting Settings > Anonymizing ).

Here it ispossible to abandon anonymization for specificusers regarding web protection

reports. Proceed as follows:

1. Enter both passwords.

Enter the first and the second password that have been provided to enable anonym-

ization.

2. Add users to deanonymize.

To the Deanonymize users box add the usernames of those usersyou want to dean-

onymize.

544 UTM 9 WebAdmin



3. Click Apply .


17.6 Email ProtectionThe tabsof the Logging & Reporting > Email Protection menu provide overview statistics about

mail flow, mail usage and email protection.

17.6.1 Usage Graphs

The EmailProtection > Usage Graphs tab providesoverview statistics about the mail flow on the

UTM given for various time frames:

l Daily

l Weekly

l Monthly

l Yearly

17.6.2 Mail Usage

The EmailProtection > Mail Usage tab contains comprehensive statistics about the most act-

ively used email addresses and address domains given for various time ranges.

From the first drop-down list, select the type of data to display, e.g., Top Senders or Top

Domains. Select the desired entry, and, if an additionalbox is displayed, specify the respective fil-

ter argument. Additionally, using the drop-down list below, you can filter the entries by time.

Alwaysclick Update to apply the filters.

On the by Domain and by Address views you can manually provide a domain or an address,

respectively. Note that for specifying domains, you can use the percent sign (%) as a wildcard.

By placing a percent sign at the end of your keyword, you are telling Sophos UTM to look for

exact matches or sub-sets. Note that the filter field iscase-sensitive.

On the Top Addresses and Top Domains views, if you clickan address or a domain in the result

table, it will automatically be used as a filter for the Top Addresses by Domain or Top Peersby

Address view.

UTM 9 WebAdmin 545

17 Logging & Reporting 17.6 Email Protection



17.6 Email Protection 17 Logging & Reporting








the table.

17.6.3 Blocked MailThe EmailProtection > Blocked Mail tab contains comprehensive statistics about all blocked

email requests based on antivirus and antispam.

From the first drop-down list, select the type of data to display, e.g., Top Blocked Spam Reason

or Top Blocked Malware. Select the desired entry, and, if an additional box is displayed, specify



On the Top Blocked Domain view, if you click a domain in the result table, it willautomatically be

used as a filter for the Top Blocked Addresses by Domain view. On the by Domain view you can

manually provide a domain. Note that you can use the percent sign (%) as a wildcard. By placing

a percent sign at the end of your keyword, you are telling Sophos UTM to look for exact matches

or sub-sets. Note that the filter field is case-sensitive.








the table.

546 UTM 9 WebAdmin



17.6.4 Deanonymization

The Email Protection > Deanonymization tab is only accessible if anonymization isactivated

(see Logging & Reporting > Reporting Settings > Anonymizing ).

Here it is possible to abandon anonymization for specificemail addresses and/or domains

regarding email protection reports. Proceed as follows:



ization.


Deanonymize addresses: You can add email addresses you want to deanonymize.

Deanonymize domains: You can add domains you want to deanonymize.

3. Click Apply .


Provided email addresses and domains become readable in reports.

17.7 Wireless ProtectionThe tabsof the Logging & Reporting > Wireless Protection menu provide overview statistics

about relevant wirelessprotection events detected by Sophos UTM.

17.7.1 Daily

The Wireless Protection > Daily tab provides overview statistics of the last 24 hours about wire-less networks and access points.

SSID Based Report ing

There is a chart for each wireless network. Each chart shows two graphs:

l Connected clients: The number of clients connected to the wireless network.

l Failed connection attempts: The number of failed connection attempts at the wire-

less network.

UTM 9 WebAdmin 547

17 Logging & Reporting 17.7 Wireless Protection



17.8 Remote Access 17 Logging & Reporting

AP Based Report ing

For each accesspoint the table shows the maximum and average connected users, the uptime

(the accumulated time span the accesspoint was up during the last 24 hours) as well as the

number of reconnects.

17.7.2 Weekly

The Wireless Protection > Weekly tab provides overview statistics about wireless networks and

accesspointsof the last seven days. The histograms are described in the Daily section.

17.7.3 Monthly

The Wireless Protection > Monthly tab provides overview statistics about wireless networks and

accesspointsof the last four weeks. The histograms are described in the Daily section.

17.7.4 Yearly

The Wireless Protection > Yearly tab provides overview statistics about wireless networks and

accesspointsof the last twelve months. The histograms are described in the Daily section.

17.8 Remote AccessThe tabsof the Logging & Reporting > Remote Access menu provide overview statistics about

remote accessactivity and information on sessions.

17.8.1 ActivityThe Remote Access > Activity tab provides overview statistics about the remote access activity

on the UTM for IPsec, SSL VPN, PPTP, and L2TP given for various timeframes:

l Daily

l Weekly

l Monthly

l Yearly

548 UTM 9 WebAdmin



Select Timeframe: Use the drop-down list to select a reporting timeframe. The page will

reload automatically.

17.8.2 Session

The Remote Access> Session tab contains comprehensive statistics about completed ses-

sions, failed logins, and current users given for various time ranges.

Note – The columns Up and Down show accounting data of the remote access connections.

Accounting by default is disabled because it can increase the system load. You can enable it

on the Reporting Settings > Settings tab in the Remote Access Accounting section.

From the first drop-down list, you can select the type of session you want to display: Current

Users, Completed Sessions, or Failed Logins. Clickthe Update button to apply the filter.

Using the second drop-down list, you can filter the results. Depending on the selected session

type, different filters are available, e.g., By Service or By Source IP Address. Some filters

require to select or enter a filter argument.

Using the third drop-down list, you can filter the results by time. Always click Update to apply the

filters.







Additionally, by clicking the Pie Chart icon—if present—you can get a pie chart displayed abovethe table.

17.9 Webserver ProtectionThe tabsof the Logging & Reporting > Webserver Protection menu provide overview statistics

about webserver requests, warnings, and alerts.

UTM 9 WebAdmin 549

17 Logging & Reporting 17.9 Webserver Protection



17.9 Webserver Protection 17 Logging & Reporting

17.9.1 Usage Graphs

The Webserver Protection > Usage Graphs tab provides overview statistics about the web-

server requests, warnings, and alerts on the UTM given for various time frames:

l Daily

l Weekly

l Monthly

l Yearly

17.9.2 Details

The Webserver Protection > Details tab contains comprehensive statistics about the most active

clients, virtual hosts, backends, response codes, and various attacks given for various time

ranges.

From the first drop-down list, select the type of data to display, e.g., Top Clientsor Top Attack-

ers Per Virtual Host . Select the desired entry, and, if an additional boxis displayed, specify the

respective filter argument. Additionally, using the drop-down list below, you can filter the entriesby time. Always click Update to apply the filters.

On the By Client and By Attacker views you can manually provide an IP/Network, as well as net-

work ranges (e.g.,192.168.1.0/24 or 10/8). On the by Virtual Host views you can manually

provide a domain. Note that you can use the percent sign (%) as a wildcard. By placing a percent

sign at the end of your keyword, you are telling Sophos UTM to look for exact matchesor sub-

sets. Note that the filter field is case-sensitive.

On the Top Clients or Top Attackersviews, if you clickan IP in the result table, it will automatically

be used as a filter for the Top Response Codes by Client or Top Rules by Attacker view.







550 UTM 9 WebAdmin




the table.

17.10 Executive ReportIn the menu Logging & Reporting > Executive Report you can create a collection of the most

important reporting data presented in graphical format to show network utilization for a number

of services.

17.10.1 View ReportOn the Logging & Reporting > Executive Report > View Report tab you can create a complete

executive report based on the individual reports in the tabs and pages of the Reporting menu.

Click the button Generate Report Now to open a window showing the executive report.

17.10.2 Archived Executive Reports

The Executive Report > Archived Executive Reports tab providesan overview of all archived

executive reports. Onlythose executive reports will be archived for which archiving has beenselected on the Configuration tab.


On the Executive Report > Configuration tab you can make the settings for executive reports.

Dai ly Execut ive Report

Daily executive report: If enabled, a daily executive report is created.

Archive PDF reports: If enabled, the daily executive report will be archived in PDF format.

Archived executive reports can be accessed on the Archived Executive Reports tab.

Send reports as PDF instead of HTML: If enabled, the executive report sent by emailis an

attached PDF file. If unselected, it will be sent in HTML format.

Email addresses: Enter the email addresses of the recipients who should receive the exec-

utive report.

Weekly Execut ive Report

Most of the settingsare described in the Daily Executive Report section.

UTM 9 WebAdmin 551

17 Logging & Reporting 17.10 Executive Report



17.11 Log Settings 17 Logging & Reporting

You can additionally choose the weekday when the executive report should start to collect its

data.

Monthly Execut ive Report

The settings are described in the Daily Executive Report section.

17.11 Log SettingsIn the Logging & Reporting > Log Settings menu you can configure basicsettings for local and

remote logging.

17.11.1 Local Logging

On the Logging & Reporting > Log Settings> Local Logging tab you can make the settings for

local logging. Local logging is enabled by default.

However, to activate local logging in case it was disabled, proceed as follows:

1. On the Local Logging tab enable local logging.


The toggle switch turns green and the areas on this tab become editable.

2. Select a time frame when log files are to be deleted.

From the drop-down list select what action is to be applied automatically on log files.

Never delete log files is selected by default.

3. Click Apply .


Thresholds

Here you can define thresholds for local logging which are bound to certain actionsthat are to

be carried out if a threshold is reached. The following actions are available:

l Nothing: No actions will be initiated.

l Send Notification: A notification will be sent to the administrator stating that the

threshold was reached.

552 UTM 9 WebAdmin



l Delete Oldest Log Files: Oldest log files will be deleted until the remaining amount is

below the configured threshold or until the log file archive is empty. In addition, a noti-

fication of that event will be sent to the administrator.

l Shutd own System: The system will be shut down. A notification of that event will be

sent to the administrator.

In case of a system shutdown, the administrator hasto change the configuration of the

local logging, configure log file deletion or move away/delete log files manually. If the

reason for the system shutdown persists, the system will shut down itself again the next

time the log cleaning process runs, which happens daily at 12:00 AM (i.e., at midnight).


17.11.2 Remote Syslog Server

On the Logging & Reporting > Log Settings> Remote Syslog Server tab you can make the set-

tings for remote logging. This function allows you to forward log messages from UTM to other

hosts. Thisis especially usefulfor networks using a host to collect logging information from sev-

eralUTMs. The selected host must run a logging daemon that is compatible to the syslog pro-

tocol.

To configure a remote syslog server, proceed as follows:

1. On the Remote Syslog Server tab enable remote syslog.


The toggle switch turns amber and the Remote Syslog Settings area becomeseditable.

2. Click the Plus icon in the Syslog Servers box to create a server.

The Add Syslog Server dialog box opens.


Name: Enter a descriptive name for the remote syslog server.

Server: Add or select the host that should receive log data from UTM. How to add a defin-

ition is explained on the Definitions & Users > Network Definitions > Network Definitions

page.

Caution – Do not use one of UTM'sown interfacesas a remote syslog host, since this

will result in a logging loop.

UTM 9 WebAdmin 553

17 Logging & Reporting 17.11 Log Settings



17.11 Log Settings 17 Logging & Reporting

Port: Add or select the service definition which is to be used for the connection. How to

add a definition is explained on the Definitions& Users > Network Definitions> Network

Definitions page.

4. Click Apply .


Remote Syslog Buffer

In this area you can change the buffer size of the remote syslog. The buffer size isthe number of

log lineskept in the buffer. Default is 1000. Click Apply to save your settings.

Remote Syslog Log Selection

This area is only editable when remote syslog is enabled. Select the checkboxes of the logs that

should be delivered to the syslog server. You can select all logsat once by selecting the option

Select All . Click Apply to save your settings.

17.11.3 Remote Log File Archives

On the Logging & Reporting > Log Settings> Remote Log File Archives tab you can make the

settingsfor remote archiving of log files. If remote log file archiving is enabled, the log files of the

past dayare packed and compressed into one file, which istransferred to a remote log file stor-

age. Using the drop-down list you can select your preferred transfer method.

To configure a remote log file archive, proceed as follows:

1. Enable the Remote Log File Archives function.


The toggle switch turns amber and the Remote Log File Archive area becomeseditable.

2. Select the log file archiving method.From the drop-down list, select your preferred archiving method. Depending on your

selection, the related configuration options for each archiving method will be displayed

below. You can choose between the following archiving methods:

l FTP Server:The File Transfer Protocol (FTP) method needs the following para-

meters to be set:

l Host: Host definition of the FTP server.

l Service: TCP port the server is listening on.

l Username: Username for the FTP server account.

554 UTM 9 WebAdmin



l Password: Password for the FTP server account.

l Path: Remote (relative) path where the log files are stored.

l SMB (CIFS) Share: The SMB method needs the following parametersto be set:

l Host: Host definition of the SMB server.

l Username: Username for the SMB account.

l Password: Password for the SMB account.

Security Note – The password will be saved plain-text in the con-

figuration file. It is therefore advisable to create a user/password com-

bination uniquely for this logging purpose.

l Share: SMB share name. Enter the path or the network share information

where the log files are to be transferred to, e.g./logs/log_file_

archive.

l Workgroup/Domain: Enter the workgroup or domain the log file archive is

part of.

l Secure Copy (SSH Server): To use the SCP method, it is necessarythat you

add the public SSH DSA key to the authorized keys of your SCP server. On a Linuxsystem, you can simply cut and paste the SSH DSA key and add it to the

~/.ssh/authorized_keys file of the configured user account. During the install-

ation, Sophos UTM creates a new SSHDSA key. For security reasons, this SSH

DSA key isnot included in backups. After a new installation or the installation of a

backup, you must therefore store the new SSH DSA key on the remote server to

be able to securely copy your log file archives to the SCP server.

The SCP method requires the following settings:

l

Host: Host definition for the SCP server.

l Username: Username for the SCP server account.

l Path: Remote (full) path where the log files should be stored.

l Public DSA key:On the remote storage host, add the provided public

DSA key to the list of authorized keys.

l Send by email: To have the log file archive sent by email, enter a valid email

address.

UTM 9 WebAdmin 555

17 Logging & Reporting 17.11 Log Settings



17.12 Reporting Settings 17 Logging & Reporting

3. Click Apply .


If the transfer fails, the archive will remain on UTM. During each run of the log cleaning process,UTM tries to deliver all remaining archives.

17.12 Reporting SettingsIn the Logging & Reporting > Reporting Settings menu you can make settings for the reporting

functions such as enabling/disabling certain features of reporting, setting time framesand

amounts for keeping data. Additionally, you can anonymize data to enhance privacy protection.

17.12.1 Settings

The Settings tab allows you to define reporting actions and the time period reporting data will be

kept on the system before it is automatically deleted. The following report topics can be set:

l Application Control

l Authentication

l Email Protection

l Firewall

l IPS

l Network Usage

l Remote Access

l Web Protection


Use the checkboxes on the left side to enable or disable reporting for a certain report topic. By

default, all report topics are enabled.

Use the drop-down lists on the right to determine how long reporting data is kept.

Note – Disabling needlessreports will lower the base load of your machine and can reduce

performance bottlenecks. Try to keep time frames as short as possible since high amounts of

556 UTM 9 WebAdmin



stored data result in a higher base load and decreased responsiveness on the dynamical

reporting pages.

The settings on thistab do not affect the log file archives.

Web Protection Report ing Detai l Leve l

In this section you can define the detail level of Web Protection reporting. Note that a higher

detail level results in a perceptible increase in memory usage and system load, so unless neces-

sary, it is recommended to keep the detail level low.

The following detail levels are available:l Domain only: Reports display the top-level domain and second-level domain of a URL,

e.g. example.com. Third-level domains will be also displayed if they are enforced, such

asexample.co.uk.

l Full domain: Reports display the full domains, e.g.www.example.com or

shop.example.com

l 1 level of URL: Reportsdisplay additionally the first (virtual) directory of a URL, e.g.

www.example.com/en/.

l 2 levels of URL: Reports display additionallythe first two (virtual) directories of a URL,

e.g. www.example.com/en/products/ .

l 3 levels of URL: Reports display additionallythe first three (virtual) directories of a

URL, e.g.www.example.com/en/products/new/ .

Executive Report Sett ings

In this area you can define respectively the number of executive reports to keep:

l Daily reports: 60 at maximum

l Weekly reports: 52 at maximum

l Monthly reports: 12 at maximum


For more information on the executive report and its options, see Logging & Reporting > Exec-

utive Report .

UTM 9 WebAdmin 557

17 Logging & Reporting 17.12 Reporting Settings




PDF Paper Sett ings

The default paper format for the PDF executive report is A4. Using the drop-down list you can

alternatively select Letter or Legal . Click Apply to save your settings.

Remote Access Account ing

Here you can enable or disable accounting for remote access connections. If enabled, data

about remote accessconnections is stored and displayed on the Logging & Reporting >

Remote Access > Session tab in the Down and Up columns. If disabled, accounting isstopped.

Note that if enabled, this feature mayincrease the system load.

CSV Del imi ter Sett ings

Here you can define which delimiter is used when exporting reporting data to CSV format.

Please note that with Windowsoperating systems the delimiter should match the regionalset-

tingsof your system to make sure that the exported data will be displayed correctly in a spread-

sheet program like e.g., Excel.

IPFIX Account ing

By means of IPFIX you can export IPv4 flow data of UTM to a provider for e.g. monitoring,

reporting, accounting, or billing purposes.

Internet Protocol Flow Information Export (IPFIX) is a message-based protocol for exporting

accounting information in a universalway. The accounting information iscollected by an

exporter and sent to a collector . A typical set of accounting information for an IPv4 flow consists

of source address, destination address, source port, destination port, bytes, packets, and net-

work traffic classification data.

If enabled, UTM servesas exporter: It exports IPFIX accounting data. The collector generally is

located at a provider's site where the accounting data of one or more of your UTMs is aggreg-

ated and analyzed. During the system setup at your provider, you will be given the hostname

and you have to define a unique Observation Domain ID (OID) per exporter, i.e., UTM. Enter

this data into the corresponding fields.

Data is exported on UDP port 4739. A single network connection uses two IPFIX flows–one for

the export direction, one for the reply.

Security Note – Be aware that with IPFIX the accounting data willbe transmitted unen-

crypted. It is therefore recommended to send the data via private network only.

558 UTM 9 WebAdmin




IPFX Private Enterprise Numbers

The templates used by UTM are referencing with Private Enterprise Numbers( PEN) 9789 _

Astaro AG and 21373 _netfilter/iptables project_. The following elements are available:

Name ID Type Enterprise Meaning

mark 4 uint32_t Netfilter The Netfilter conntrack mark.

conntrack_id 6 uint32_t Netfilter The Netfilter conntrack ID.

afcProtocol 1 uint16_t Astaro

The protocol detected by the Astaro Flow

Classifier. Thisfield isalways present,

even if the classifier is off. If the classifier

wasn't able to detect a protocol it reports

protocol ID 0, which just means

'unknown'.

afcProtocolName 2 string Astaro

The protocol name detected by the

Astaro Flow Classifier as a 32 character

ASCII string, zero terminated.

flowDirection 4 uint8_7 Astaro

The direction of the flow, which is one of

In (1), Out (2) or Not In/Out (0). Each flow

will be exported two times. One time for

each direction.

17.12.2 Exceptions

The Reporting Settings > Exceptions tab allows you to exclude certain domains and addresses

from reporting, which affects the Executive Report as well as the affected Logging & Reporting

pages and the affected statistics overview pages.

Note – The effect will not be immediately visible on today's statistics pages because the inform-

ation on these pages is updated every 10 to 15 minutesonly. Note also the import function

with which you can define multiple items at once.

Report ing Except ions: Web

In this section you can define domains to be excluded from all web protection reports. The

domain names have to be entered exactly as they are listed in the Domains report on the

UTM 9 WebAdmin 559





Logging & Reporting > Web Protection > Web Usage Report tab. Click Apply to save your set-

tings.

Report ing Exceptions: Mail

In these two sectionsyou can define domains and mail addresses to be excluded from all email

protection reports.

Use the Domains box to exclude all email addresses of a particular domain. Just enter the

domain part of the email address e.g. sophos.com. Use the Addresses box to enter particular

email addresses to exclude from the reports. Click Apply to save your settings.

Emails having the specified domain names or addresses as sender or recipient will be excluded

from all email protection reports.

Report ing Exceptions: Network Protect ion

In this section you can define IPv4 and IPv6 addresses to be excluded from all network pro-

tection reports. Click Apply to save your settings.

Report ing Exceptions: Network Account ing

In this section you can define IPv4 and IPv6 addresses to be excluded from all network usage

reports. Click Apply to save your settings.

17.12.3 Anonymizing

The Reporting Settings > Anonymizing tab allows to anonymize reporting data based on the

four-eyes principle. That means that deanonymization can only take place when two different

people agree on that procedure. Anonymization ensures that user data is kept secret when

viewing reporting data, and therefore actions (such as web-surfing habits) cannot be traced

back to a specific person.

To use anonymization, proceed as follows:

1. On the Anonymizing tab enable anonymization.


The toggle switch turns amber and the Anonymizing Settings area becomeseditable.

2. Enter two security passwords.

The four-eyes principle is only allowed for when two different people enter a password

unknown to each other.

560 UTM 9 WebAdmin



3. Click Apply .


To disable anonymization (globally) again, both passwords are necessary.

1. On the Anonymizing tab click the toggle switch.

The toggle switch turns amber and the Anonymizing Settings area becomes editable.



ization.

3. Click Apply .


If necessary, anonymization can be disabled for single users, see Logging & Reporting > Web

Protection and Logging & Reporting > Email Protection.

UTM 9 WebAdmin 561






18 SupportThischapter describes the support tools available for Sophos UTM.

The pages of the Support menu contain many customer support related features ranging from

variousweb links, through contact information, to the output of useful network tools that are

used to determine important network properties without the need to access UTM's command-

line interface.


l Documentation

l Printable Configuration

l Contact Support

l Tools

l Advanced

In addition, the main page of the Support menu contains web links to the following information

resources:

l Knowledgebase (KB): Official knowledgebase of Sophos NSG contains numerous

information on configuring Sophos UTM.

l Known Issues List (KIL): The list of known problemsthat cannot be fixed or for which a

workaround is available.

l Hardware Compatibility List (HCL): The list of hardware that is compatible to Sophos

UTM Software.

l Up2Date Information: Sophos NSG Up2Date blog, which informs about product

improvements and firmware updates.

18.1 Documentation

Onl ine Help

This section gives a description of how to open and use the online help.



18.2 Printable Configuration 18 Support

Manual Download

You can download the current Administration Guide in PDF format. Select the language of the

guide and click Start download . Note that you need a special reader to open PDF documents

such as Adobe's Reader or Xpdf.

Cross Reference – Administration Guides from former UTM versions and other doc-

umentation can be downloaded from the SophosKnowledgebase.

18.2 Printable ConfigurationOn the Support > Printable Configuration page you can create a detailed report of the current

WebAdmin configuration.

Note – The printable configuration is opened in a new window. Depending on your browser it

may be necessary to allow pop-up windows for WebAdmin.

The structure of the printable configuration matches the WebAdmin menu structure to facilitate

finding the corresponding configuration options in WebAdmin.

The printable configuration browser page consists of an overview page, called index , and sev-

eral subpages. Links to subpages are highlighted blue. Subpages give detailed information to

the respective topic. You can always return from a subpage to the index by clicking the Back to

the index link at the bottom of the subpage.

There are two more viewing options for the printable configuration:

l WebAdmin format

l Confd format

You can find the links to these viewing options at the bottom of the index page.

18.3 Contact SupportSophos offers a comprehensive range of customer support services for its securitysolutions.

Based on the support/maintenance level, you have various levels of access and committed

response time by the Sophos service department and/or Sophos NSG Certified Partners.

564 UTM 9 WebAdmin

http://www.sophos.com/en-us/support/documentation/sophos-utm.aspx#

http://www.sophos.com/en-us/support/documentation/sophos-utm.aspx#



All support cases concerning Sophos UTM are processed via the MyUTM Portal. You may

open a support case via a web form by clicking Open Support Ticket in New Window . For more

information see the MyUTM User Guide.

18.4 ToolsThe tabsof the Support > Tools menu display the output of useful network tools that can be

used to determine important network properties without the need to access UTM's command-

line interface. The output of the following tools can be viewed:

l Ping

l Traceroute

l DNS Lookup

18.4.1 Ping Check

The program ping isa computer network toolused to test whether a particular host isreachable

across an IP network. Ping works by sending ICMP echo request packets to the target host and

listening for ICMP echo response replies. Using interval timing and response rate, ping estim-ates the round-trip time and packet loss rate between hosts.

To make a ping check, proceed as follows:

1. Select the ping host.

Select the host you want to ping. In the Ping Host box, you can select a host for which a

host definition exists. Alternatively, you can also select Custom hostname/IP address and

enter a custom hostname or IP address into the textboxbelow.

2. Select the IP version (only available if IPv6 is globallyenabled).From the IP version drop-down list, select IPv4 or IPv6 .

3. Click Apply .

The output of the ping check will be displayed in the Ping Check Result area.

18.4.2 Traceroute

The program traceroute is a computer network tool used to determine the route taken by pack-

etsacrossan IP network. It lists the IP addresses of the routers that were involved in trans-porting the packet. If the packet's route cannot be determined within a certain time frame,

UTM 9 WebAdmin 565

18 Support 18.4 Tools






18.4 Tools 18 Support

traceroute will report an asterisk (*) instead of the IP address. After a certain number of failures,

the check willend. An interruption of the check can have many causes, but most likely it is

caused by a firewall along the network path that blocks traceroute packets.

To trace a route, proceed as follows:

1. Specify the traceroute host.

Select the host you want to trace the route to. In the Traceroute host box, you can select

a host for which a host definition exists. Alternatively, you can also select Custom host-

name/IP address and enter a custom hostname or IP address into the textboxbelow.

2. Select the IP version (only available if IPv6 isglobally enabled).

In the IP version drop-down list, select IPv4 or IPv6 .

3. Print ho p addresses numerically rather than symbolically and nu merically

(optional).

Selecting this option saves a nameserver address-to-name lookup for each gateway

found on the path.

4. Click Apply .

The output of traceroute will be displayed in the Traceroute Result area.

18.4.3 DNS LookupThe program host isa network tool for interrogating DNS name servers. It performs DNS look-

ups and displays the answers that are returned from the name server(s) that were queried.

To make a DNS lookup, proceed as follows:

1. Specify the hostn ame/IP address.

Enter the hostname or IP address of the host for which you want to determine DNS

information.

2. Select Enable verbose output (optional).

Select this option to generate lengthy output showing more information.

3. Click Apply .

The output of dig will be displayed in the DNS Lookup Result area.

566 UTM 9 WebAdmin



18.5 AdvancedThe Support > Advanced menu displays even more information on your UTM and gives access

to advanced features. It gives overview of running processes and local network connections

and you can view the routing table and the interfaces table. Additionally, you can download a

support package for debugging and recovery purposes and find background information about

internally used configuration references which you may encounter in log files.

18.5.1 Process ListThe program ps displays a header line followed by lines containing information about your pro-

cesses that have controlling terminals. Thisinformation is sorted by controlling terminal, then by

process ID.

18.5.2 LAN Connections

The program netstat (short for Network Statistics) is a network tool that displays a list of the act-

ive Internet connections a computer currently has, both incoming and outgoing.

18.5.3 Routes Table

The program ip is a network toolfor controlling TCP/IP networking and traffic control. Invoked

with the parameter route show table all it displays the contents of all routing tables of

UTM.

18.5.4 Interfaces TableThe table shows all configured interfaces of Sophos UTM, both network interface cards and vir-

tual interfaces. The program ip invoked with parameter addrdisplays interfaces and their prop-

erties.

18.5.5 Config Dump

For debugging or recovery purposes it is useful to gather as manyinformation as possible about

your installation of Sophos UTM. The support package that can be downloaded from the

UTM 9 WebAdmin 567

18 Support 18.5 Advanced



18.5 Advanced 18 Support

Support > Advanced > Config Dump tab provides exactly this. The zip file containsthe following

items:

l

The entire dump of UTM's configuration (storage.abf). Note that this is no genuinebackup file—it does not contain any passwords, among other things—and can be used

for debugging purposes only.

l Information on the hardware present in the system (hwinfo).

l Information on the software packages installed on the system (swinfo).

18.5.6 Resolve REF

For debugging purposes you can resolve configuration references internallyused by the sys-

tem. If you encounter a reference somewhere in the logs, you can paste the reference string

here (e.g.,REF_DefaultSuperAdmin). The tab will then display an excerpt of the configuration

daemon's data structure.

568 UTM 9 WebAdmin



19 Log Off You can log out of UTM by clicking the Log Off menu entry. If you do not log out properly or if you

close the web browser inadvertently, you might not be able to log in again for approximately 30

seconds.

Note – You will be logged out if you visit a different website during a session. In this case, you

will have to log in again.





20 User PortalThischapter provides information on how the User Portal worksand which services it provides

for end-users.

The User Portalof Sophos UTM is a browser-based application providing among others per-

sonalized email and remote access services to authorized users. It can be accessed by brows-

ing to the URL of Sophos UTM, for example,https://192.168.2.100 (note the HTTPS pro-

tocol).

On the login page, users can select a language from the drop-down list located on the right side

of the header bar.

Depending which services and features have been activated in WebAdmin by the administrator,

users can have access to the following services:

l Mail Quarantine

l MailLog

l POP3 Accounts

l Sender Whitelist

l Sender Blacklist

l Hotspots

l Client Authentication

l OTPTokens

l Remote Access

l

HTML5 VPN Portal

l Change Password

l HTTPS Proxy

If the one-time password feature is enabled, a login page with one or more QR codesis dis-

played after the login attempt under some conditions. The login page is displayed only when the

Auto-create OTP tokens for users feature is enabled, and the user logged in with his user-spe-

cific password only (not appending a one-time password), and an unused OTP token isavail-

able for the user. The page shows instructionson how to configure a mobile device to generateone-time passwords. After configuring the mobile device, the user can log in again, now using



20.1 User Portal: Mail Quarantine 20 User Portal

the UTM password, directly followed by the one-time password. Example: If your UTM pass-

word is1z58.xaand the one-time password is123456, just enter the password

1z58.xa123456 to log in.

20.1 User Portal: Mail QuarantineOn this tab, end-users can view and release messages held in quarantine.

Note – The MailQuarantine tab is available if either POP3 or SMTP has been activated in

WebAdmin and the user has been configured to use these services. If the user should receive

emails both via SMTP and POP3, the emails willbe organized into two tabs POP3 Quarantineand SMTP Quarantine, both providing a similar functionality.

The MailQuarantine tab shows an overview of all emails addressed to the user but blocked and

quarantined by Sophos UTM. For POP3 quarantine emails to be listed the user has to enter

their POP3 credentials on the POP3 Accounts tab.

Sort and Filter Quarantined Emails

By default, all emails are shown. If the list contains more than twenty emails, it is split into several

chunks which can be browsed with Next (>) and Previous (<) buttons.

Users can influence which items are displayed:

Sort by: By default, the list is sorted by time of arrival. Messages can be sorted by date,

subject line, sender address, and message size.

and show: The checkboxallows to display 20, 50, 100, 250, 500, 1000, or all messages

per page. Note that showing all messages maytake a lot of time.

Several elements on the page let users filter their emails:

l # messages quarantined: On top of the page, severalcheckboxes allow to show or

hide emails by the reason why they were quarantined (malware, spam, expression

match, file extension, MIME type, unscannable, others).

l Addresses or Accounts: Allows to filter the messages according to the recipient

address (SMTP) or account (POP3).

572 UTM 9 WebAdmin



l Sender/Rcpt/Subject substring: Here users can enter a sender, recipient (only with

POP3), or subject to search for in the quarantined messages.

l Received date: To only show messages processed during a certain time frame, users

can enter a date or select a date from the Calendar icon.

Manage Quarantined Emails

Users can applyactionson a message using the drop-down list in front of the message. An

action can also be applied to severalselected messages. Use the checkboxin front of each mes-

sage or click a message to select it. Then select one of the actionsavailable in the drop-down list

below the table. The following actions are available:

l View(only available for an individualmessage): Opens a window with the contents of the

email.

l Download: Selected messages will be downloaded in EML format.


l Whitelist Sender (only available for an individual message): Moves the email to your

inbox and adds the sender to your whitelist (Sender Whitelist tab). Successive emails of

this sender will not be quarantined. Note, that mails containing malicious content will

always be quarantined, even if the sender is on the whitelist.

l Release: Selected messages will be released from quarantine.

l Release and report as false positive:Selected messages will be released from quar-

antine and reported as false positive to the spam scan engine.

Note – The allowed actionsdepend on the reason why the email was quarantined, and on

the WebAdmin settings. Users can only release messages they are explicitly allowed to. Only

the administrator can release all messages held in quarantine.

Select global cleanup action: Here you find severaldeletion optionsthat willbe applied on

messages globally, that is, regardless whether they are selected and/or displayed or not.

20.2 User Portal: Mail LogOn this tab, end-users can view a log of their email traffic sent via SMTP.

UTM 9 WebAdmin 573

20 User Portal 20.2 User Portal: Mail Log



20.3 User Portal: POP3 Accounts 20 User Portal

Note – The Mail Log tab is only for email address belonging to the domain monitored by the

SMTP proxy of Sophos UTM, and onlyavailable for users whom the administrator gave

access rightsto thisfeature. If both SMTP and POP3 have been activated for a certain user,

the tab is called SMTP Log .

The Mail Log tab shows log entries of all email traffic of the user's email addresses. Log entries

of undelivered emailscontain the information about why they have not been delivered. Double-

clicking a log entry opens a window with more log information.

By default, all emails are shown. If the list contains more than twenty emails, it is split into several

chunks which can be browsed with Next (>) and Previous (<) buttons.

Users can influence which items are displayed:

Sort by: By default, the list is sorted by time of arrival. Messages can be sorted by date,

subject line, sender address, and message size.

and show: The checkboxallows to display 20, 50, 100, 250, 500, 1000, or all messages

per page. Note that showing all messages maytake a lot of time.

Several elements on the page let users filter their emails:

l # log events on file: On top of the page, severalcheckboxes allow to show or hide

emails according to their status.

l Addresses: Allows to filter the emails according to the sender address.

l Sender/Subject substring: Here users can enter a sender or subject to search for in

the quarantined messages.

l Received date: To only show messages processed during a certain time frame, users

can enter a date or select a date from the Calendar icon.

20.3 User Portal: POP3 AccountsOn this tab, end-users can identify themselves to be able to view and release their POP3 quar-

antine emails and receive quarantine reports.

Note – The POP3 Accounts tab is only available if the administrator enabled POP3 and added

a POP3 server.

574 UTM 9 WebAdmin



On the page, users need to enter the credentials of the POP3 accounts they use. Only those

spam emails will appear in the User Portal for which POP3 account credentials are given. A user

for whom POP3 account credentials are stored will receive an individualquarantine report for

each email address.

20.4 User Portal: Sender WhitelistOn this tab, end-users can whitelist senders, so that messagesfrom them are never regarded

as spam. However, emailswith viruses or unscannable emailswill still be quarantined.

Note – The Sender Whitelist tab isonly available if the user's email address belongs to the net-work or domain monitored by Sophos UTM, and the administrator assigned them access

rightsto the feature.

Whitelisted senders can be specified by clicking the Plus icon, entering the address and clicking

the Tick icon to save it. Users can either enter valid email addresses (e.g., [email protected])

or all email addresses of a specific domain using an asteriskas wildcard (e.g.,

*@example.com). Sender whitelist and sender blacklist can be used in combination: The user

can for example blacklist an entire domain (e.g.,*@hotmail.com) but whitelist specific emailaddresses belonging to this domain (e.g.,[email protected]). This also works the

other way round. If the exact emailaddress islisted on both, whitelist and blacklist, the address

is blacklisted.

20.5 User Portal: Sender BlacklistOn this tab, end-users can blacklist email senders, so the messages from them are always

regarded as spam and therefore will be quarantined.

Note – The Sender Blacklist tab is only available if the user's emailaddress belongsto the net-

work or domain monitored by Sophos UTM, and the administrator assigned them access

rightsto the feature.

The blacklist is applied to both SMTP and POP3 email, if these are in use on the system. Black-

listed senders can be specified by clicking the Plus icon, entering the address and clicking the

Tick icon to save it. Users can either enter valid email addresses (e.g., [email protected]) or

UTM 9 WebAdmin 575

20 User Portal 20.4 User Portal: Sender Whitelist



20.6 User Portal: Hotspots 20 User Portal

all email addresses of a specificdomain using an asteriskas wildcard (e.g.,*@example.com).

Sender whitelist and sender blacklist can be used in combination: The user can for example

blacklist an entire domain (e.g., *@hotmail.com) but whitelist specific emailaddresses belong-

ing to this domain (e.g.,[email protected]). This also works the other way round. If

the exact email address is listed on both, whitelist and blacklist, the address is blacklisted.

20.6 User Portal: HotspotsThe Hotspot feature allows cafés, hotels, companies, etc. to provide time- and traffic-restricted

Internet access to guests.

Note – The Hotspots tab of the User Portal isonly visible for users if the administrator created

a hotspot of one of the types Password or Voucher , and added the user to the allowed users.

On this tab, users can distribute the hotspot access information to wireless network guests.

What they can do on the tab depends on the type of the selected hotspot: they can either dis-

tribute a general password or generate and distribute vouchers.

Hotspot type: Password of the dayIn the Password field, the current password is displayed. It changes automatically once a day.

However, users can change the password manually. The former password will immediately

become invalid and active sessions will be terminated.

To change the password, users need to proceed as follows:

1. In the User Portal, they need to select the Hotspots tab.

2. They need to select the ho tspot f or which they want to manage the accessinformation.

From the Hotspot drop-down list, they need to select the hotspot for which they want to

change the password.

3. They need to define a new password.

They need to enter the new password in the Password field or automatically create a

new password by clicking the Generate button.

4. If users want to send the new password per email, they need to select the

Send Mail checkbox.

576 UTM 9 WebAdmin



The password will be sent to the email recipients specified by the administrator. If the

administrator did not specify any email addresses, the checkbox is not available.

5. They click Save.

The password will be changed immediately.

Hotspot type: Voucher

Users can create vouchers, each with a unique code. The vouchers can be printed and given to

guests. A list of created vouchersgives an overview about their usage and helps to manage

them.

To create vouchers, users need to proceed as follows:

1. In the User Portal, they need to select the Hotspots tab.

2. They need to make the following settings:

Hotspot: They need to select the hotspot for which they want to create a voucher.

Voucher Definition: The available voucher types are defined by the administrator.

Which type to use for what purpose hasto be defined within the company.

Amount: Usersneed to enter the amount of vouchers of this type to be created.

Comment: Optionally, they can enter a comment. The comment will be displayed in the

user's vouchers list.

Print: If users directly want to print the vouchers, they need to select this option.

Page Size: They need to select the page size they want to print.

Vouchers Per Page: They select how many voucherswill be printed onto one page.

UTM automatically adjusts the vouchers on the page.

Add QR Code: Users can request that in addition to the voucher text data, the printed

voucher should also contain a QR code. A QR code is a square image containing

encoded data. It can be scanned by a mobile device in order to access the hotspot login

page, where the fields are pre-populated with the necessary data.

3. They need to click the Create Vouchers button.

The vouchersare generated. Each voucher willimmediately be displayed as a new line in

the voucher list below. If specified, theywill be printed directly. Each voucher has a unique

code.

UTM 9 WebAdmin 577

20 User Portal 20.6 User Portal: Hotspots



20.7 User Portal: Client Authentication 20 User Portal

Note – Contents, size, and layout of the vouchers are determined by the administrator.

In the voucher list users can manage vouchers. They can sort and filter the list, they can enter or

change the comment and theycan print, delete, or export selected vouchers.

l To sort the list, users need to select the desired sorting criterion in theSort by drop-down

list. With the drop-down list to the right, they can determine the number of displayed

vouchers per page.

l To filter the list, usersneed to use one of the fieldsStatus, Code, or Comment . they need

to select or enter, respectively, the desired attribute. The list will be filtered directlywhile

typing. To reset the filter, they need to select the status entry All and delete all text fromthe Code and/or Comment text field.

l To enter or change a comment, users need to click the Notepad icon in the Comment

column of the respective voucher. An edit field is displayed. Users can enter or edit text

and press the Enter key or click the checkmark to save changes.

l To print or delete vouchers, users need to select the checkboxin front of the desired

vouchers, then click the appropriate button on the bottom.

Note – Vouchers can automatically be deleted after a specified time, which can be con-

figured by the administrator.

l To export vouchers, users need to proceed as follows: Theyneed to select the checkbox

in front of the desired vouchers, then click the Export CSV button on the bottom. A win-

dow appears where they can decide to save or to directly open the CSV file. The selected

vouchers will be saved in one CSV file. When opening the file users need to take care to

select the correct character for column separation.

20.7 User Portal: Client AuthenticationOn this tab, end-users can download the setup file of the Sophos Authentication Agent (SAA).

The SAA can be used as authentication mode for the Web Filter.

Note – The Client Authentication tab isonly available if client authentication is enabled by the

administrator.

578 UTM 9 WebAdmin



20.8 User Portal: OTP TokensOn this tab, end-users have accessto the QR codes and data to install the OTP configuration on

their mobile device.

Configure OTP Token With Google Authenticator

1. Install Google Authenticator on your mobile device.

2. Scan the QR code.

3. Open the app.

It shows you the one-time password that changes every 30 seconds.

4. Open the facility which you have to use the on e-time password for.

The administrator configured the services for which you need to enter the one-time pass-

word, for example for connecting via remote access, for the web application firewall, or

for the User Portal itself.

5. Enter your username and your UT M password, directly followed by the cur-

rent one-time password. Then click the Login button.Now you have access to the facility.

Using Other Software

1. Install the software on your mobile device.

2. Open the app.

3. Configure the app using the data beside the QR code.

The app now produces the one-time passwords.

4. Open the facility which you have to use the on e-time password for.

The administrator configured the services for which you need to enter the one-time pass-

word, for example for connecting via remote access, for the web application firewall or for

the User Portal itself.

5. Enter your username and your UT M password, directly followed by the cur-

rent one-time password. Then click the Login button.

Now you have access to the facility.

UTM 9 WebAdmin 579

20 User Portal 20.8 User Portal: OTP Tokens



20.9 User Portal: Remote Access 20 User Portal

20.9 User Portal: Remote AccessOn this tab, end-users can download remote access client software and configuration files auto-

matically generated and provided for them according to the WebAdmin settings made by the

administrator.

Note – The Remote Access tab is onlyavailable if at least one remote accessmode hasbeen

enabled for a user.

Only the remote access data is available that corresponds to the connection typesthe admin-

istrator enabled for a user, e.g., if a users has been enabled to use SSL VPN remote access,

they will find an SSL VPN section.

Each connection type is displayed in a separate section. Depending on the connection type,

information and/or buttons to download the respective software are available. Where appro-

priate, on top of the sections, users find an Open installation instructions in new window link

which opens a detailed installation documentation.

20.10 User Portal: HTML5 VPN PortalThe HTML5 VPN Portalfeature allows users from external sources to access internal

resources via pre-configured connection types, using only a browser as a client.

Note – The HTML5 VPN Portal tab is only available for users for whom the administrator cre-

ated VPN connectionsand added them to the allowed users.

Note – The user's browser has to be HTML5-compliant. The following browsers support the

HTML5 VPN feature: Firefox 6.0 onwards, Internet Explorer 10 onwards, Chrome, Safari5

onwards (on MAC only).

On the HTML5 VPN Portal tab the allowed connectionsare listed. The iconsgive a hint about

the type of connection.

To use a connection, users need to proceed as follows:

580 UTM 9 WebAdmin



1. Clicking the respective Connect button.

A new browser window opens. Contents and layout depend on the connection type, e.g.,

it contains a website if the user opened a HTTP or HTTPS connection, whereas it con-

tains a command-line interface for SSH connections.

2. Working in the new VPN window.

For some tasks, the VPN window provides a connection-type-specific menu bar which

fades in when the cursor is moved to the window top:

l Using function keys or key combinations: If users want to use special com-

mands like function keys or CTRL-ALT-DEL, they need to select the respective

entryin the Keyboard menu.

l Copy & paste from the local host into the VPN window: On the local

machine, users need to copy the respective text into the clipboard. In the con-

nection window, they need to select the Clipboard menu. WithCTRL-V, they paste

the text into the text box. After that they need to clickthe Send to Server button:

With SSH or Telnet connections, the text willthen be directly pasted at the cursor

position. With RDP or VNC connections, the text will be sent to the clipboard of the

server and can then be pasted as usual.

Note – Copy & paste does not work with Webapp connections.

l Copy & paste from the VPN window into ano ther window: With SSH and

Telnet connections, users can just copyand paste text like they would in local win-

dows. With RDP or VNC connections, in the VPN window, users need to copythe

respective text to their clipboard. Then they select the Clipboard menu. The copied

text is displayed in the text box. Usersneed to mark the text and pressCTRL-C.

Now it is in the local clipboard and can be pasted as usual.

l Changing keyboard layout in a Remote Desktop connection: For Remote

Desktop connections with a Windows host, users can change the keyboard lan-

guage settings of the VPN window. Especially for the Windows login the selected

language should match the Windows language settingsto ensure that users type

the password correctly. Users need to select the appropriate language from the

Keyboard > Keyboard Layout menu. The selected keyboard layout is saved in a

cookie.

l Go back to the Start page in a Webapp connection: To return to the default

page in a Webapp connection, select the Navigation > Home menu.

UTM 9 WebAdmin 581

20 User Portal 20.10 User Portal: HTML5 VPN Portal



20.11 User Portal: Change Password 20 User Portal

3. Closing the connection after having finished their work.

l To finally terminate the connection, users need to select theStop Session com-

mand from the Connection menu or close the browser window by clicking the X

icon in the title bar. They can start a new session using the Connect button again.

l To disconnect the session, users need to select the Suspend Session command

from the Connection menu. The status of the session will be saved for five minutes.

When they connect again during this time interval, users can continue the previous

session.

20.11 User Portal: Change PasswordOn this tab, end-users can change their password for access to the User Portal and, if available,

remote access over PPTP.

20.12 User Portal: HTTPS ProxyOn this tab, end-users can import the HTTP/S ProxyCA certificate to get rid of error messages

when visiting secure websites.

Note – The HTTPS Proxy tab of the User Portal is only available if the administrator globally

provided an HTTP/S Proxy certificate.

After clicking Import Proxy CA Certificate, users will be prompted by their browser to trust the

CA for various purposes.

582 UTM 9 WebAdmin



Glossary

3

3DES

Triple Data Encryption Standard

A

ACC

Astaro Command Center

ACPI

Advanced Conguration and Power

Interface

AD

Active Directory

Address Resolution Protocol

Used to determine the Ethernet MACaddress of a host when only its IP

address isknown.

ADSL

Asymmetric Digital Subscriber Line

Advanced Configuration and Power

Interface

The ACPI specification is a power man-

agement standard that allows the oper-ating system to control the amount of

power distributed to the computer's

devices.

Advanced Programmable Interrupt

Controller

Architecture for dealing with interrupts

in multi-processor computer systems.

AES

Advanced Encryption Standard

AFC

Astaro Flow Classifier

AH

Authentication Header

AMG

Astaro Mail Gateway

APIC

Advanced Programmable Interrupt

Controller

ARP

Address Resolution Protocol

AS

Autonomous System

ASCII

American Standard Code for Inform-

ation Interchange

ASG

Astaro Security Gateway

Astaro Command Center

Software for monitoring and admin-

istering multiple Astaro gateway units by

means of a single interface. Starting

with version 4, the software was

renamed Sophos UTM Manager

(SUM).

Astaro Security Gateway

Software for unified threat man-

agement, including mail and web secur-

ity. Starting with version 9, the software



Glossary

was renamed Unified Threat Man-

agement (UTM).

Authentication Header

IPsec protocol that provides for anti-

replay and verifies that the contentsof

the packet have not been modified in

transit.

Autonomous System

Collection of IP networks and routers

under the control of one entity that

presents a common routing policy to the

Internet.

AWG

Astaro Web Gateway

AWS

Amazon Web Services

B

BATV

Bounce AddressTag Validation

BGP

Border Gateway Protocol

Bounce Address Tag Validation

Name of a method designed for determ-

ining whether the return address spe-

cified in an email message is valid. It is

designed to reject bounce messages to

forged return addresses.

Broadcast

The address used by a computer to

send a message to all other computers

on the networkat the same time. For

example, a network with IP address

192.168.2.0 and network mask

255.255.255.0 would have a broadcast

address of 192.168.2.255.

C

CA

Certificate Authority

CBC

Cipher BlockChaining

CDMA

Code Division Multiple Access

Certificate Au thority

Entity or organization that issues digital

certificates for use by other parties.

CHAP

Challenge-Handshake Authentication

Protocol

Cipher Block Chaining

Refers in cryptography to a mode of

operation where each block of plaintext

is"XORed" with the previous ciphertext

block before being encrypted. This way,

each ciphertext block isdependent on

all plaintext blocks up to that point.

Cluster

Group of linked computers, working

together closely so that in many

respects theyform a single computer.

CMS

Content Management System

CPU

Central Processing Unit

584 UTM 9 WebAdmin



CRL

Certificate Revocation List

CSS

Cascading Style Sheets

D

DC

Domain Controller

DCC

Direct Client Connection

DDoS

Distributed Denial of Service

DER

Distinguished Encoding Rules

Destination Network Ad dress T rans-

lation

Special case of NAT where the des-

tination addresses of data packets are

rewritten.

Device tree

Located below the main menu. Grants

accessto all gateway units registered

with the SUM.

DHCP

Dynamic Host Configuration Protocol

Digital Signature Algorithm

Standard propagated by the United

States Federal Government (FIPS) for

digital signatures.

Digital Subscriber Line

Familyof technologies that provides

digital data transmission over the wires

of a local telephone network.

Distinguished Encoding Rules

Method for encoding a data object, such

as an X.509 certificate, to be digitally

signed or to have its signature verified.

DKIM

Domain Keys Identified Mail

DMZ

Demilitarized Zone

DN

Distinguished Name

DNAT

Destination Network Address Trans-

lation

DNS

Domain Name Service

DOI

Domain of Interpretation

Domain Name Service

Translates the underlying IP addresses

of computers connected through the

Internet into more human-friendly

names or aliases.

DoS

Denial of Service

DSA

Digital Signature Algorithm

DSCP

Differentiated Services Code Point

UTM 9 WebAdmin 585

Glossary



Glossary

DSL

Digital Subscriber Line

DUID

DHCP Unique Identifier

Dynamic Host Configuration Pro-

tocol

Protocol used by networked devices to

obtain IP addresses.

E

eBGP

Exterior Border Gateway Protocol

ECN

Explicit Congestion Notification

Encapsulating Security Payload

IPsec protocol that provides data con-

fidentiality (encryption), anti-replay, and

authentication.

ESP

Encapsulating Security Payload

Explicit Congestion Notification

Explicit Congestion Notification (ECN) is

an extension to the Internet Protocol

and allows end-to-end notifications of

network congestion without dropping

packets. ECN only works if both end-

points of a connection successfully nego-

tiate to use it.

F

FAT

File Allocation Table

File Transfer Protocol

Protocol for exchanging files over

packet-swichted networks.

FQHN

Fully Qualified HostName

FTP

File Transfer Protocol

G

Generic Routing Encapsulation

Tunneling protocol designed for encap-

sulation of arbitrary kinds of network

layer packets inside arbitrary kinds of

network layer packets.

GeoIP

Technique to locate devices worldwide

by means of satellite imagery.

GRE

Generic Routing Encapsulation

GSM

Global System for Mobile Com-

munications

H

H.323

Protocol providing audio-visual com-

munication sessions on packet-

switched networks.

HA

High Availability

HCL

Hardware CompatibilityList

586 UTM 9 WebAdmin



HELO

A command in the Simple Mail Transfer

Protocol (SMTP) with which the client

responds to the initial greeting of the

server.

High Availability

System design protocol that ensures a

certain absolute degree of operational

continuity.

HIPS

Host-based Intrusion Prevention Sys-

tem

HMAC

Hash-based Message Authentication

Code

HTML

Hypertext Transfer Markup Language

HTTP

Hypertext Transfer Protocol

HTTP/S

Hypertext Transfer Protocol Secure

HTTPS

Hypertext Transfer Protocol Secure

Hypertext Transfer ProtocolProtocol for the transfer of information

on the Internet.

Hypertext Transfer Protocol over

Secure Socket Layer

Protocol to allow more secure HTTP

communication.

I

IANA

Internet Assigned Numbers Authority

iBGP

Interior Border GatewayProtocol

ICMP

Internet Control Message Protocol

ID

Identity

IDE

Intelligent Drive Electronics

IDENT

Standard protocol that helps identify the

user of a particular TCP connection.

IDN

InternationalDomain Name

IE

Internet Explorer

IKE

Internet KeyExchange

IM

Instant Messaging

Internet Control Message Protocol

Special kind of IP protocol used to send

and receive information about the net-

work's statusand other control inform-

ation.

Internet Protocol

Data-oriented protocol used for com-

municating data across a packet-

UTM 9 WebAdmin 587

Glossary



Glossary

switched network.

Internet Relay Chat

Open protocol enabling the instant com-

munication over the Internet.

Internet service provider

Business or organization that sells to

consumers access to the Internet and

related services.

IP Internet Protocol

IP Address

Unique number that devices use in

order to identify and communicate with

each other on a computer network util-

izing the Internet Protocol standard.

IPS

Intrusion Prevention System

IPsec

Internet Protocol Security

IRC

Internet Relay Chat

ISP

Internet Service Provider

L

L2TP

Layer Two (2) T unneling Protocol

LAG

Link Aggregation Group

LAN

Local Area Network

LDAP

Lightweight Directory Access Protocol

Link-state advertisement

Basic communication means of the

OSPF routing protocol for IP.

LSA

Link-state advertisement

LTE

3GPP Long Term Evolution

M

MAC

Media AccessControl

MAC Address

Unique code assigned to most forms of

networking hardware.

Managed Security Service Provider

Provides security services for com-

panies.

Management Information Base

Type of database used to manage the

devices in a communications network. It

comprises a collection of objects in a (vir-

tual) database used to manage entities

(such as routers and switches) in a net-

work.

Masquerading

Technology based on NAT that allows

an entire LAN to use one public IP

address to communicate with the rest of

the Internet.

MD5

Message-Digest algorithm 5

588 UTM 9 WebAdmin



Message-Digest algorithm 5

Cryptographic hash function with a 128-

bit hash value.

MIB

Management Information Base

MIME

Multipurpose Internet MailExtensions

MPLS

MultiprotocolLabel Switching

MPPE

Microsoft Point-to-Point Encryption

MSCHAP

Microsoft Challenge Handshake

Authentication Protocol

MSCHAPv2

Microsoft Challenge Handshake

Authentication Protocol Version 2

MSP

Managed Service Provider

MSSP

Managed Security Service Provider

MTU

Maximum Tansmission Unit

Multipurpose Internet Mail Exten-

sions

Internet Standard that extends the

format of email to support text in char-

acter sets other than US-ASCII, non-

text attachments, multi-part message

bodies, and header information in non-

ASCII character sets.

MX record

Type of resource record in the Domain

Name System (DNS) specifying how

emails should be routed through the

Internet.

N

NAS

Network Access Server

NAT

Network Address Translation

NAT-T

NAT Traversal

Network Address Translation

System for reusing IP addresses.

Network Time Protocol

Protocol for synchronizing the clocks of

computer systems over packet-

switched networks.

NIC

Network Interface Card

Not-so-stubby area

In the OSPF protocol, a type of stub

area that can import autonomous sys-

tem (AS) external routes and send

them to the backbone, but cannot

receive AS external routes from the

backbone or other areas.

NSSA

Not-so-stubby area

NTLM

NT LAN Manager (Microsoft Windows)

UTM 9 WebAdmin 589

Glossary



Glossary

NTP

Network Time Protocol

O

Open Shortest Path First

Link-state, hierarchical interior gateway

protocol (IGP) for network routing.

OpenPGP

Protocol combining strong public-key

and symmetric cryptography to provide

security services for electronic com-

munications and data storage.

OSI

Open Source Initiative

OSPF

Open Shortest Path First

OU

Organisational Unit

P

PAC

Proxy Auto Configuration

PAP

Password Authentication Protocol

PCI

Peripheral Component Interconnect

PEM

Privacy Enhanced Mail

PGP

Pretty Good Privacy

PKCS

Public KeyCryptography Standards

PKI

Public Key Infrastructure

PMTU

Path Maximum Transmission Unit

POP3

Post Office Protocol version 3

Port

Virtual data connection that can be used

by programsto exchange data directly.

More specifically, a port is an additional

identifier—in the cases of TCP and

UDP, a number between 0 and 65535 –

that allows a computer to distinguish

between multiple concurrent con-

nections between the same two com-

puters.

Portscan

Action of searching a network host for

open ports.

Post Office Protocol version 3

Protocol for delivery of emailsacross

packet-switched networks.

PPPPoint-to-Point Protocol

PPPoA

PPP over ATM Protocol

PPTP

Point to Point Tunneling Protocol

590 UTM 9 WebAdmin



Privacy Enhanced Mail

Early IETF proposal for securing email

using public key cryptography.

Protocol

Well-defined and standardized set of

rules that controls or enables the con-

nection, communication, and data trans-

fer between two computing endpoints.

Proxy

Computer that offers a computer net-

work service to allow clients to make

indirect network connections to other

network services.

PSK

Preshared Key

Q

QoS

Qualityof Service

R

RADIUS

Remote Authentication Dial In User Ser-

vice

RAID

Redundant Array of Independent Disks

RAM

Random AccessMemory

RAS

Remote Access Server

RBL

Realtime Blackhole List

RDN

Relative Distinguished Name

RDNS

Reverse Domain Name Service

RDP

Remote Desktop Protocol

Real-time Blackhole List

Means by which an Internet site may

publish a list of IP addresses linked to

spamming. Most mail transport agent

(mail server) software can be con-

figured to reject or flag messages which

have been sent from a site listed on one

or more such lists. For webservers as

well it is possible to reject clients listed on

an RBL.

RED

Remote Ethernet Device

Redundant Array of Independent

Disks

Refers to a data storage scheme using

multiple hard drives to share or replicate

data among the drives.

Remote Authentication Dial In User

Service

Protocol designed to allow network

devices such as routers to authenticate

users against a central database.

RFC

Request for Comment

Router

Network device that is designed to for-

ward packets to their destination along

the most efficient path.

UTM 9 WebAdmin 591

Glossary



Glossary

RPS

RED Provisioning Service

RSA

Rivest, Shamir, & Adleman (public key

encryption technology)

S

S/MIME

Secure/Multipurpose Internet Mail

Extensions

SA

Security Associations

SAA

SophosAuthentication Agent

SCP

Secure Copy (from the SSH suite of

computer applications for secure com-

munication)

SCSI

Small Computer System Interface

Secure Shell

Protocol that allows establishing a

secure channelbetween a local and a

remote computer across packet-

switched networks.

Secure Sockets Layer

Cryptographic protocol that provides

secure communications on the Internet,

predecessor of the Transport Lay-

erSecurity(TLS).

Secure/Multipurpose Internet Mail

Extensions

Standard for public key encryption and

signing of email encapsulated in MIME.

Security Parameter Index

Identification tag added to the header

while using IPsec for tunneling the IP

traffic.

Sender Policy Framework

Extension to the Simple Mail Transfer

Protocol (SMTP). SPF allows software

to identify and reject forged addresses

in the SMTP MAIL FROM (Return-

Path), a typical annoyance of email

spam.

Session Initiation Protocol

Signalization protocol for the setup,

modification and termination of sessions

between two or several communication

partners. The text-oriented protocol is

based on HTTP and can transmit sig-

nalization data through TCP or UDP via

IP networks. Thus, it is the base among

others for Voice-over-IP videotele-

phony (VoIP) and multimedia services

in realtime.

SFQ

Stochastic Fairness Queuing

Shared Secret

Password or passphrase shared

between two entities for secure com-

munication.

SIM

Subscriber Identification Module

592 UTM 9 WebAdmin



Simple Mail Transfer Protocol

Protocol used to send and receive email

across packet-switched networks.

Single sign-on

Form of authentication that enables a

user to authenticate once and gain

access to multiple applications and sys-

tems using a single password.

SIP

Session Initiation Protocol

SLAAC

Stateless AddressAutoconfiguration

SMB

Server Message Block

SMP

Symmetric Multiprocessing

SMTP

Simple Mail Transfer Protocol

SNAT

Source Network AddressTranslation

SNMP

Simple Network Message Protocol

SOCKetSInternet protocol that allows client-

server applications to transparently use

the services of a network firewall.

SOCKS, often called the Firewall

Traversal Protocol, is currently at ver-

sion 5 and must be implemented in the

client-side program in order to function

correctly.

SOCKS

SOCKetS

Sophos UTM Manager

Software for monitoring and admin-

istering multiple UTM units by means of

a single interface. Formerly known as

Astaro Command Center.

Source Network Address T ranslation

Special case of NAT. With SNAT, the IP

address of the computer which initiated

the connection is rewritten.

Spanning Tree Protocol

Network protocol to detect and prevent

bridge loops

SPF

Sender Policy Framework

SPISecurity Parameter Index

SPX

Secure PDF Exchange

SSH

Secure Shell

SSID

Service Set Identifier

SSL

Secure SocketsLayer

SSO

Single sign-on

STP

Spanning Tree Protocol

UTM 9 WebAdmin 593

Glossary



Glossary

SUA

Sophos User Authentication

Subnet mask

The subnet mask (also called netmask)

of a network, together with the network

address, defines which addresses are

part of the local networkand which are

not. Individualcomputers will be

assigned to a networkon the basis of

the definition.

SUM

Sophos UTM Manager

Symmetric Multiprocessing

The use of more than one CPU.

SYN

Synchronous

T

TACACS

Terminal Access Controller Access Con-

trol System

TCP

Transmission Control Protocol

TFTP

Trivial File Transfer Protocol

Time-to-live

8-bit field in the Internet Protocol (IP)

header stating the maximum amount of

time a packet is allowed to propagate

through the network before it is dis-

carded.

TKIP

TemporalKeyIntegrity Protocol

TLS

Transport Layer Security

TOS

Type of Service

Transmission Control Protocol

Protocol of the Internet protocol suite

allowing applications on networked com-

puters to create connectionsto one

another. The protocol guarantees reli-

able and in-order delivery of data from

sender to receiver.

Transport Layer Security

Cryptographic protocol that provides

secure communications on the Internet,

successor of the Secure SocketsLayer

(SSL).

TTL

Time-to-live

U

UDP

User Datagram Protocol

UMTS

Universal Mobile Telecommunications

System

Unified Threat Management

Software for unified threat man-

agement, including mail and web secur-

ity. Formerlyknown as Astaro Security

Gateway.

Uniform Resource L ocator

String that specifies the location of a

resource on the Internet.

594 UTM 9 WebAdmin



Uninterruptible power supply

Device which maintains a continuous

supply of electricpower to connected

equipment by supplying power from a

separate source when utility power is

not available.

Up2Date

Service that allows downloading rel-

evant update packages from the

Sophos server.

UPS

Uninterruptible Power Supply

URL

Uniform Resource Locator

USB

Universal SerialBus

User Datagram ProtocolProtocol allowing applications on net-

worked computers to send short mes-

sages sometimes known as datagrams

to one another.

UTC

Coordinated Universal Time

UTM

Unified Threat Management

V

VDSL

Very High Speed Digital Subscriber

Line

Virtual Private Network

Private data network that makes use of

the public telecommunication

infrastructure, maintaining privacy

through the use of a tunneling protocol

such as PPTP or IPsec.

VLAN

Virtual LAN

VNC

Virtual Network Computing

Voice over IP

Routing of voice conversations over the

Internet or through any other IP-based

network.

VoIP

Voice over IP

VPC

Virtual Private Cloud

VPNVirtual Private Network

W

WAF

Web Application Firewall

WAN

Wide Area Network

W-CDMA

Wideband Code Division Multiple

Access

WebAdmin

Web-based graphical user interface of

Sophos/Astaro products such as UTM,

SUM, ACC, ASG, AWG, and AMG.

UTM 9 WebAdmin 595

Glossary



Glossary

WEP

Wired Equivalent Privacy

Windows Internet Naming Service

Microsoft's implementation of NetBIOS

Name Server (NBNS) on Windows, a

name server and service for NetBIOS

computer names.

WINS

Windows Internet Naming Service

WLAN

Wireless Local Area Network

WPA

Wi-Fi Protected Access

X

X.509

Specification for digital certificates pub-

lished by the ITU-T (International Tele-

communications Union –

Telecommunication). It specifies inform-

ation and attributes required for the

identification of a person or a computer

system.

XSS

Cross-site scripting

596 UTM 9 WebAdmin



List of Figures

Figure 1 WebAdmin: Initial Login Page 23

Figure 2 WebAdmin: Regular Login Page 24

Figure 3 WebAdmin: Dashboard 27

Figure 4 WebAdmin: Overview 29

Figure 5 WebAdmin: Example of a List 32

Figure 6 WebAdmin: Example of a Dialog Box 34

F igure 7 WebAdmin: Dr agging an Object F rom the Object List Networks 37

Figure 8 MyUTM Portal 61

Figure 9 Licensing: Subscription Warning Message 66

Figure 10 Up2Date: Progress Window 69

Figure 11 User Portal: Welcome Page 77

Figure 12 Customization: Example Blocked Page andIts Customizable Parts 83

Figure 13 Customization: HTTP Download Page Step 1 of 3: Downloading File 87

Figure 14 Customization: HTTP Download Page Step 2 of 3: Vir us Scanning 87

Figure 15 Customization: HTTP Download Page Step 3 of 3: File Download Completed 88

Figure 16 Customization: POP3 Proxy Blocked Message 90Figure 17 Groups: eDirectory Browser of Sophos UTM 128

Figure 18 Authentication: Microsoft Management Console 130

Figure 19 Encryption: Using Two Sophos UTM Units 351

Figure 20 Mail Manager of Sophos UTM 369

Figure 21 Endpoint Protection: Overview 378

Figure 22 Mesh Network Use Case Wireless Bridge 409

Figure 23 Mesh Network Use Case Wir eless Repeater 409

Figure 24 RED: Setup Sketch 447Figure 25 LAN mode: Untagged 454

Figure 26 LAN mode: Untagged, drop tagged 455

Figure 27 LAN mode: Tagged 455

Figure 28 LAN mode: Disabled 455

Figure 29 RED 50: Hostname and Uplink Balancing (turquoise) and Hostname and

Uplink Failover (red) 458

Figure 30 RED 50: Hostname Balancing and Uplink Failover (green) and Hostname Fail-

over and Uplink Balancing (blue) 459

Figure 31 Reporting: Example of a Line Chart 526



List of Figures

Figure 32 Reporting: Example of a Pie Chart 526

598 UTM 9 WebAdmin



Index3

3DES, encryption 470, 507

3G/UMTS (interface type) 149, 151

failover uplink 457

MTU 152

A

access control

logging of traffic 55to SSH 51

to User Portal 125

to Web Admin 54-55

access points 395, 401-402

active 403

authentication at 396-397

authorization of 402

channel 404

clients Seewireless networks, clients

configuration of 395

country setting 402-403

deletion of 402

disabling of 402

encryption 397

algorithms 399

passphr ase 398

WEP 398

WPA/WPA2 398

ETSI 402

FCC 402

gr ouping of 403, 407

inactive 403

labelof 403

mesh access points 408

network assignment 406

network interface of 396

pending 397, 402-403

reporting of 548root access points 408

SSID 397-398

status of 395

types of 401

accounting data, reporting 101activation keys, license 61

Active Directory 124, 128

backend servers 129

Base DN 130

domain joining 136

email recipient verification 318, 335

FTP proxy and 312, 314

groups 145

port number 129

prefetching with 145

Single Sign-On 125, 136

supported versions 128

Active Directory Group Membership Syn-

cronization 144

Admin Password Setup (dialog window) 53

administration guide

download of 563

language of 564

administrative interface 20

administrator 118

contact data 84, 86

password of 53

setting of 23

WebAdmin access 55

administrator manual Seeadministration

guide

ADSL 161

advanced threat protection 40, 249activation of 249

live log 250

reporting of 534

AES, encr yption 470, 507

ageing timeout, bridging 176

agent, SNMP 91

AH (protocol) 469, 506

aliases, IP addresses 165

Amazon VPC 466activation of 466



Index

connections 466

import of 467

setup of 467

statusof 466anonymization, reporting data 544-545, 547,

560

antispam engine 321, 341

BATV 325, 333, 336

blacklisting 78, 120, 323, 337, 342, 575

expression filter 324, 338, 342

extra RBLs 336

greylisting 324, 336

RBLs 322, 336rejection of invalid HELO 324, 336

rejection of missing RDNS entries 324, 336

spam filter 322, 337, 341

spam marker 323, 341

SPF check 325, 336

statusof 41

whitelisting 78, 120, 364, 366, 575

antispywar e engine

blocked spywar e 39

settings of 26

status of 41

antivirus engine

encrypted files 302

maximum email size 340

of endpoint protection 384

ofFTP proxy 311-312

of POP3 proxy 340

of SMTP pr oxy 318

of web application firewall 432of Web Filter 283

deactivation of 293

scanning 52

of downloads 432

of emails 318, 336, 340

of uploads 432

settings of 26,52

statusof 41

unscannable files 302zip archives, encrypted 282, 312

AonSpeed (ISP) 162

APC (manufacturer) 16

AppAccuracy, application control 60

Apple OpenDirectory SSO (Web Filter authen-tication mode) 305

appliances

default settings 22

models 102

application control 307

AppAccuracy 60

network visibility 40, 307

reporting of 543

r ules 44, 182, 308-310skiplist 310

Application Control (Web Filter message) 85

area, system settings 19

ARP

broadcasts and bridging 176

cache 101

clashes 148

gratuitous 101

high availability and 101

resolution, wrong 148

attacks, intrusion prevention 39-40

patterns 251-252

signatures 251

audio content, filtering 319, 337

auditor (user right) 56

auditor (user role) 55

authentication 124-125

agent for 123

cache f or 125-126clearance of 126

global settings 125

IPsec 473-474

live log 126

of clients 109-110, 123

of users 119

SOCKS proxy 266

timeout 303

web application firewall 439, 443

600 UTM 9 WebAdmin



Web Filter 293, 303

Apple OpenDirectory SSO 305

authentication algorithms

Internet KeyExchange 476, 510IPsec 478, 512

WPA/WPA2 enterprise 396-397

authentication servers 126


eDirectory 124, 126

external 109

LDAP 124, 131

RADIUS 124-125, 133, 397

TACACS+ 124, 135

authentication services 109, 134

external 124

authorization

of users 134-135

automatic backups 76

deletion of 76-77

download of 77

emailing of 76

encryption of 76

interval of creation 76

password protection 77

restorationof 77

stor age of 76

autonegotiation, interfaces 173

AV engine Seeantivirus engine

availability groups 113

always resolved 113

monitoring interval 113

B

backend directory services Seedirectory ser-

vices

backend servers

Active Directory 129

eDirectory 127

LDAP 132

RADIUS 133

TACACS+ 135backup uplink 167

backups

as templates 75

automatic 76

before Up2Date installation 69deletion of 76-77

download of 77

emailing of 69, 76

encryption of 76

interval of creation 76


restoration of 77

storage of 76

available 73, 76-77

confidential information and 73

content of 73

creation of 72-74

creator of 73, 77

deletion of 74

download of 73

emailing of 74

recipients of 74

encr yption of 73

file extensions 73

import of 74-75, 77

lockfilesand 74


readability of 73

restoration of 24, 27, 72-73

from USB flash drive 74

SSH DSA keys and 555

storage of 73

version number 73balancing rules, server load balancing 260

bandwidth monitor See flow monitor

bandwidth pools, Quality of Service 44, 183

bandwidth usage, reporting 531

base license 67

basic configuration 15, 21

backup restoration 27

basic system setup 23

BasicGuard, subscription 65, 67battery operation, UPS 16

UTM 9 WebAdmin 601

Index



Index

BATV 325, 333, 336

BGP SeeBorder Gateway Protocol

bit mask 112

bit rate, network cards 40Blacklist (Web Filter message) 85

blacklisting, emailaddresses 78, 120, 323,

337, 342, 575

blocked file 337

blocked IP address, due to failed logins 144

Blowfish (cipher) 73

Border GatewayProtocol 204

activation of 205

autonomous systems, multiple 205, 211debug information 211

filter lists 210

IP address match, strict 211

multiple path routing 211

neighbor routers 206

peer routers 206

route maps 208

branch offices, network integration of 447

bridging 22, 174

ageing timeout 176

ARP broadcasts 176


EtherTypes, forwarding of 177

firewallrules 175

IPv6 and 177

removal of bridge 176

removalof interfaces 176

Spanning Tree Protocol 176

status of 175virtual MAC address 175, 177

wireless 409

with RED appliances 461

broadcasts, firewall and 236

browser Seeweb browser

button bar, of Web Admin 31

buttons, in Web Admin 35

Bypass Content Block (Web Filter message)

86

bypassing blocked content, HTTP proxy

authentication timeout 303

C

cache

for authentication 125-126

clearance of 126

for Up2Dates 71

of Web Filter 293, 305

CBC mode (Cipher Block Chaining) 73

CD-ROM drive, system requirements 16, 19

CD-ROM, for installation 17

centr al management, of UTM 94certificate 97

certificate authority 23, 298, 487, 489

download of 490

fingerprint 302, 355

import of 490

signing CA 298, 489

for VPN 491

verif ication CA 301, 490

Web Filter certificate 79, 582

Web Admin certificate 23, 56

certificates 305, 487

date check 294

deletion of 488

download of 489

generation of 118, 487

import of 488

information contained in 48

invalid 49

management of 445, 487, 523of User Portal 57

of WebAdmin 23, 56-57

public keys, import of 487

r emote access 118

revocation lists 445, 481, 487, 490, 514,

523

self -signed, of system 22, 487, 489

SSL, of users 125, 494

time, time zones, and 57trust check 294

602 UTM 9 WebAdmin



validity of 22, 57

VPN ID 118, 488

VPN ID type 488

X.509 487local 23

of users 118

changes, of WebAdmin settings 47

charsets, used by POP3 proxy 347

charts, reporting 526

Cisco VPN client 520

configuration 520

debug information 522

iOS conf iguration 521, 523

live log 521

cisco, vpn 99

client authentication 78, 109-110, 123

Client Authentication, section in User

Portal 578

clusters, high availability 100, 102, 105

autojoin 105


of master 105, 107

deactivation of 106

hotspotsand 411

nodes 100, 102, 104

resource usage 103

system status 103

status of 41

codes, of notifications 81

command-line access 51, See also shell

access

community str ing, SNMP 91, 93company information 23

company logo, customization of 84

company text, customization of 84

complexity, passwor d 52, 144

Compliance Overview 98

compliant, devices 98

confidentiality f ooter, SMTP proxy 332, 338

configuration 21

of system 40of Up2Dates 71

of WebAdmin, overview 564

reset of 52

configuration dump, support 567

configuration settings 99configuration wizard Seewizard

connection tracking helpers 242

H.323 264

SIP 263

connection types, for Internet uplink 25

connections, termination of 251

console Seeshell access

contact data, administrator 84, 86

content removal, websites

deactivation of 294

controllers

IDE 19

SCSI 19

cookie signing 431

key for 438

Outlook Web Access 435

secr et of 431, 438

corresponding, vpn, wireless 99

country blocking 237

exceptions 238

CPU usage 39, 104, 528

CPU, system requirements 16, 19

CRL Seecertificates, revocation lists

cross-site scripting

protection from 425, 434

CSV export, delimiter 558

customer 97

customer support, Sophos UTM 564customization

home use license and 83, 366

of company logo 84

of company text 84

of POP3 messages 84

of Quarantine Report 84

of quarantine statusmessages 84

of system messages 83

of Web Filter messages 84

UTM 9 WebAdmin 603

Index



Index

D

Dashboard 26, 30, 39

grouping of topics 42RAID display 17

refresh rate 41

settings of 41

SophosNewsFeed 42

data packets Seepackets

data protection configuration 338

databases, reset of 53

date 48

NTP servers 48, 50setting of 19

manual 48, 50

daylight saving time 49

dead peer detection, IPsec 481, 514

deanonymization, reporting data 544-545,

547

debug mode 98

decryption, email 350

default gateway, for external interface 25

default settings, appliances 22

definitions 109

of MAC addresses 114

of networks 109

of ser vices 109, 115

of time periods 109, 117

Denial of Service See DoS, intrusion pre-

vention

departments, reporting 542

DER (file for mat) 356

destination address translation SeeDNAT

detection, hardware 17-18

device control, Endpoint Protection 388

device information, SNMP 92

DHCP 222

HTTP proxy browser configuration, auto-

matic 225

IP address pool 111

lease table 226, 228IPv4 226

IPv6 228

leases and prefix advertisements 228

options 229

relays 225requests, forwarding of 225

servers 25, 223

static mappings 226-229

Web Filter browser configuration, auto-

matic 303

with RED appliances 460-461

with wireless networks 396

dialog boxes, in WebAdmin 34

dig (network tool) 566directory services 124, 126


eDirectory 124, 126

LD AP 124, 131

RADIUS 124, 133

T ACACS+ 124, 135

director y traversals, protection from 425

Distinguished Name 127, 129, 132, 487

DKIM, SMTP proxy 332

DN See Distinguished Name

DN AT 245, 265

firewall and 237

f irewall rules and 246

PPTP access and 246

DNS 217

cache, clearance of 218

DNSSEC 217

DynDNS 219

forwarders 218-219byISP 218

groups 112

hostname of system and 48

hosts 112, 566

time-to-live 112

lookup 565-566

Web Filter and 303

proxy 267

records, time-to-live 218reverse DNS 112

604 UTM 9 WebAdmin



servers 218

allowed networks 217

internal 217, 219

remote access 522root 218

static mappings 219

wireless networks 396

zone information 218

documentation, administrator 563

domain controllers Seedirectory services

domains, SMTP 26

DoS, intrusion prevention 144, 253

Download Complete (Web Filter message)

86

Download in Progress (Web Filter message)

85

download manager, Web Filter 87, 303

download size 85

download throttling, Quality of Service 44, 184

downloads, antivirus scanning 432

DSA keys, SSH 555

backups and 555

public 555

DSL

ADSL 161

VDSL 159

DSL (PPPoA/PPTP) (interface type) 149,

161

MTU 162

DSL (PPPoE) (interface type) 150, 159

MTU 160

multilink 161dynamic address allocation 149

dynamic IP endpoints 112

dynamic routing (OSPF) SeeOSPF

DynDNS 219

E

eap 100

ECN (Explicit Congestion Notification)

IPsec 475Quality of Service 186

eDirectory 124, 126

backend servers 127

Base DN 127

groups 145port number 127

prefetching with 145

Single Sign-On 137

email address, of cache administrator, web

messages 86

emailaddresses

blacklisting of 78, 120, 323, 337, 342, 575

conflict of 125

unique 125whitelisting of 78, 120, 364, 575

emaildecryption 350

email domains 316

email encryption 321, 332, 348, 350

activation of 351

CA, creation of 351

cer tificates 356

automatic extraction, S/MIME 352

infor mation contained in 48


decryption 350

default policy settings 352

internalusers 352

OpenPGP 352, 357

keyservers 352

public keys 357

reset of 351

S/MIME

authorities 354certificates 352, 356

public keys 354-355

secure PDF exchange Seeemailencryp-

tion, SPX

email encryption, SPX 357

configuration 359

notification subject 362

notifications 360

password 359password expiry 360

UTM 9 WebAdmin 605

Index



Index

password settings 362

password, SPX

password reset 360

portal settings 360precedence 359

reply portal 360, 363

reply portalsettings 363

send notification 360

templates 316, 338, 361

unused password 360

email footers

antivirus check 321

format of 333

email log

in User Por tal 573

emailmessages, customization of 89

Email Protection 315

data protection 326

encryption 348, See also Email Protection,

SPX encryption

Mail Manager 368

POP3 proxy 338

Quarantine Report 364

reporting of 545-547

secure PDF exchange SeeEmailPro-

tection, SPX encryption

settings of 26

SMTP proxy 315

SPX encryption 357

configuration 359

notification subject 362

notifications 360password 359

password expiry 360

password reset 360

passwor d settings 362

portalsettings 360

precedence 359

reply portal 360, 363

templates 361

statistics 315subscr iption 67

email quarantine 77, 318, 340

false positives 364


in User Portal 572Mail Manager 369

mailing lists 366

POP3 Quarantine Report 366

release of emails 78, 318, 340, 364-365,

572

reporting of 546

email recipients

of backups 69

of executive reports 551of hotspot passwords 415, 576

of logfile archives 555

of RED unlock code 449

of Web Protection reports 543

verification of 317, 325, 335

email relays 329-331

antivirus scanning 330

authentication 330

blacklisting of 330

host-based 330

upstream hosts 329

Email Released From Quarantine (SMTP

proxy message) 89

embedded objects, in webpages

removalof 294

encryption algorithms

3DES 470, 507

AES 399, 470, 507

Internet Key Exchange 476, 510IPsec 477, 511

TKIP & AES 399

encryption, email Seeemail encryption

encryption, wireless networks

WEP 398

WPA/WPA2 personal 396, 398

end-user portal SeeUser Portal

Endpoint Protection 377, 379

activation of 379, 392antivirusengine 384

606 UTM 9 WebAdmin



antivirus exceptions 386

antivirus policies 385

blocked attacks 40

blocked devices 40computer management 379, 381-382

default group 384

deploy agent 381

grouping of computers 382

deactivation of 379, 392

device control 388

exceptions 389

policies 388

installation on endpoints 381

live log 378

parent pr oxy 384

registration at Sophos LiveConnect 384

status of 40

tamper protection 384

UTMID, resetting of 54

Web Control 391-392

enfor ce, cisco, vpn 99

enf orce, l2tp, ipsec 99

enforce, wireless 99

Enterprise Toolkit, installationof 20

Error While Releasing Email From Quarantine

(SMTP/POP3 proxy message) 89

ESP (protocol) 469, 506

Ethernet DHCP (interface type) 150, 157

MTU 158

Ethernet Static (interface type) 150, 153

MTU 154

proxy ARP 154Ethernet VLAN (interface type) 150, 155

MTU 156

proxyARP 156

Ethernet, modes of operation 173

Ether Types 177

Excel (for mat)

delimiter 558

download of reporting data in 532, 534-

535, 537, 540, 544, 546, 549-550

exceptions

in reporting 559

POP3 proxy 342

SMTP proxy 328Web Filter 293-295, 302

standard mode and 294

transparent mode and 294

executables, filtering 319, 337

executive reports 551

archived 551


generation of 551

number of 557

PDF settings 558

settings of 557

view of 551

expression filter, POP3 proxy 342

expression filter, SMTP proxy 324, 338

external interfaces 25, 147

external networks 147

F

factory reset 52-53

system shutdown 53

failover, high availability 100-101

f ailover, Link Aggregation 166

failure, hardware, dealing with 100

false positives, quarantined emails 364

File Extension (Web Filter message) 85

file extensions

blocking of 282, 311-312

deactivation of 293filtering of 320, 337, 340

of backups 73

File Size (Web Filter message) 85

filter field, of lists 33

Filtering Options, Web Filter 293

fingerprint, certificate authorities 302, 355

firewall 40, 233

broadcasts and 236

configuration of 236connection tracking helpers 242

UTM 9 WebAdmin 607

Index



Index


exceptions 238


ICMP 240IDENT traffic and 237

Internet access 245

live log 236

logging options 244

NAT and 237

protocol handling 243


security policy 233

firewall pr ofiles, web application firewall 430,

435

firewall rules 233-234

"Any" rules 234

active 40

automatic 234

change of 236

creation of 234


deletion of 236

DNAT and 246

for bridging 175

order of 234

rule matching 234

firmwar e updates 68, 70

download of 70-71

installation of 69-71

schedulingof 70

firmware version 39, 70

flood protection, intrusion prevention 253ICMP 255

SYN 253

UDP 254

flow monitor 40, 43

adaption of 153-154, 156, 158, 160, 163,

165

form hardening 432, 434

secr et of 439

forwarder s, DNS 218

FQDN

hostname and 48, 522

FTP 311

clients 266connection tracking helpers 242

servers 314

as log file archive 554

of Sophos UTM 71

FTP proxy 311

activation of 311

Active Directory and 312, 314

antivirus engine 311-312

blocking of file extensions 311-312

exceptions 313-314

maximum scanning size 312

operation modes 311

ser vers 314

skiplist 312, 314

full transparent (Web Filter operation mode)

277, 290

Fully Qualified Domain Name SeeFQDN

G

general 97

generic proxy 265

GeoIP 237

gratuitousARP 101

greylisting 324, 336

groups


DNS groups 112

multicast groups 112networkgroups 113

service groups 115-116

user groups 121

Guest (wireless network) 396

H

H.323 264


HA See high availability

608 UTM 9 WebAdmin



hard disk

erasure of 21

size and type 19

system requirements 16usage of 39, 104

hardware

failure, dealing with 100

interfaces 173

minimum requirements 15, 19

reporting on 101, 528-529

hardware appliances, slot information 150

Hardware Compatibility List 16-17, 102, 155,

563hardwar e detection 17-18

hardware interfaces 150

HCL SeeHardware CompatibilityList

HDD Seehard disk

heart-beat requests, high availability 101

HELO, invalid 324, 336

help, online 68

high availability 98, 100

active-active 100, 105

active-passive 100, 105

ARP requests 101

autojoin 105

backup interfaces 107

clusters 100, 105

configur ation of 104

automatic 104, 107

of master 105, 107

up2date r ollback 107

deactivation of 106failover 100-101

hear t-beat r equests 16, 101

hot standby 100, 105

license requirements 102

link aggregation 167

link monitor ing 174

live log 103

master -master situations 107

nodes 100, 102ID 102

resource usage 103

system status 103

status of 41, 102-103

reset of 53system requirements 102

takeover 101, 106, 174

home use license 61

customization and 83

homepage, Sophos UTM 65, 151

hostname, system 57

configuration of 48

DNSand 48

hot standby 100, 102, 105

autojoin 105


of master 105, 107

deactivation of 106

nodes

resource usage 103

system status 103

hotspots 411, 413, 423

access, unrestricted 423

cluster and 411

creation of 414

in User Portal 78

legal information 412

live log 413

vouchers 422

Hotspots, section in User Portal 576

HTML rewriting, web application firewall 427

HTML5 VPN Portal

remote access 516section in User Portal 580

HTTP proxy See Web Filter

HTTP return codes 260

HTTPS

problems with 300

return codes 260

WebAdmin CA certificate 23, 56

WebAdmin certificate 56

UTM 9 WebAdmin 609

Index



Index

HTTPS proxySee also HTTP proxy; Web Fil-

ter

certificate authorities 298

fingerprint 302problems with HTTPS 300

HTTPS Proxy, section in User Portal 582

I

IANA 92

ICMP 240

echo request 241, 565

echo response 241, 565

flood protection 255settings of 240

icons, in WebAdmin 35

access point icons 410

Info icon 33

IPv4/IPv6 markers 191

IDE controllers 19

IDENT

IDENT tr aff ic and firewall 237

protocol 267

IDENT relay See IDENT reverse proxy

IDENT reverse proxy 267

idle timeout, Web Admin 58

IKE See Internet KeyExchange

improvement program, Sophos UTM 59

Info icon 33

interface definitions 148

MAC address definitions 114

network definitions 110

service definitions 115time period definitions 117

user definitions 118

initial login page 22

installation 15, 555

abortion of 19

and basic configuration 21

dur ation of 21

from CD-ROM 17

hardware requirements 15, 19key functions during 17

of Enterprise Toolkit 20

of Open Source Software 20

problems after 21

system reboot after 21warning message 21

installation instructions 17

installation menu 15

installation requirements 15

instant messaging clients 266

Interface Address 110

Interface Broadcast Address 110

Interface Network Address 110

interface persistence

server load balancing 262

uplink balancing 169

interf aces 147

administrative 20

aliases 167

automatic definitions of 148

dynamic address allocation 149

autonegotiation of 173

conf iguration of 147

default gateway 25

dynamic routing 198

external 25, 147, 154, 157

flow monitor 40, 43

groups 149, 151

Info icon 148

internal 20, 25, 147

link aggegration 166

load balancing 100, 105, 167

multicast routing 213of name "Internal" 149

of status "Down" 148, 153, 155, 157, 159,

161, 163, 165

of status "Up" 153, 155, 157, 159, 161,

163, 165

OSPF 198

Quality of Service 177, 185

slot information 150

table of 567

610 UTM 9 WebAdmin



types of 149, 151, 153, 155, 157, 159, 161,

163, 165

3G/UMTS 149, 151

DSL (PPPoA/PPTP) 149, 161DSL (PPPoE) 150, 159

Ethernet DHCP 150, 157

Ethernet Static 150, 153

Ethernet VLAN 150, 155

group 149, 151

Modem (PPP) 150, 163


uplink monitoring 186

vir tual 148, 166, 169internal interfaces 20, 25, 147

internalmail ser ver 26

internal networ k card 19

Internet (network definition) 110, 147

Internet Explor er 16

Internet Key Exchange

authentication algorithms 476, 510

Diffie-Hellman groups 476, 511

encryption algor ithms 476, 510

security association lifetime 476, 511

Internet time servers SeeNTP servers

Internet uplink, connection type 25

Internet, access to 245

intrusion attempts 39

intrusion prevention 250

attack patterns 251-252

DoS protection 253

events 233

flood pr otection 253live log 251

portscan detection 255

r eporting of 233, 532, 534

settings of 25

signatures 40

status of 40

intrusion prevention system See IPS

iOS configuration

Cisco VPN client 521, 523L2TP 504

PPTP 500

IP addresses

active 68

additional 165aliases of 165

blocking of 144

IPv6 189

limitation on 68

link-local, IPv6 191

static, for remote accessusers 120

IP endpoints, dynamic 112

IP header 471, 508

IP masquerading 25

IPFIX

Private Enterprise Number 559

IPS 40

activation of 251

attack patterns 251-252

live log 251

performance of 259

rules 250, 252

modification of 258

IPsec 468,505

authentication 473-474, 479-480

X.509 certificates 480, 514

authentication algorithms 478, 512

certificates


revocation lists 481, 514

client installation instructions 509

compr ession of IP packets 479, 513

connections 471-472, 508-509encryption 470, 507

operation modes 469, 506

r emote gateways 473-475

statusof 465

dead peer detection 481, 514

debug information 482, 515

ECN 475

encr yption algorithms 477, 511

high availability and 105L2TP over IPsec 501, 505

UTM 9 WebAdmin 611

Index



Index

NAT traversal 470-471, 481, 507-508, 514

PFS groups 478, 512

PMTU 475

policies 475-476, 479, 510, 513preshared key probing 482, 515

protocol 465

protocols used by 469, 506

Quality of Service 185

security association lifetime 478, 512

strict policy 478, 513

TOS bits 471, 508

XAUTH 475

IPv6 189

activation of 190

bridging and 177

IP addresses 191

IPv4 193

tunneling of 193

IPv4 and IPv6, simultaneous use of 154,

156, 166

link-localaddresses 191

object icons 191

prefixadvertisements 191

prefix renumbering 192

statusof 190

supported functions 189

tunnel brokers 193

IRC

clients 266


J

JavaScr ipt 16

removalof 294

K

Kerberos authentication support 136-137,

305

kernel modules 242

key functions, during installation 17

keyboard layout, selection of 19keyboard shortcuts, in WebAdmin 57

keys

for cookie signing 438

for URL hardening 438

keyservers, OpenPGP 352Knowledgebase, Sophos 16-17, 27, 66, 88,

102, 155, 563-564

Known Issues List, Sophos UTM 563

L

L2TP over IPsec 501, 505

access control 503


configuration of 501debug information 505

domain name 523

iOS configuration 504

l2tp, ipsec 99

LAG See link aggregation, groups

L AN 147

language, WebAdmin 54

LDAP 124, 131

backend servers 132

Base DN 133

port number 132

user attribute 132

LDAP browser 145

LD AP over SSL 127, 129, 132

lease table, DHCP 226, 228

license 24, 39

activation keys 61

base license 67

BasicGuard 65download of 62

expiration of 61

for home use 61

for trial use 24, 61

free 68

FullGuard 62

information on 67

installation of 67

IP address limitation 68MSP 65

612 UTM 9 WebAdmin



notification about 68

purchase of 61

reset of 53

subscriptions 61upgrade of 61

upload of 62

warning 65

license counter 68

license key 17

licensing 61

support services 67

line charts, reporting 526

link-local addresses, IPv6 191

link aggregation 166

alias interfaces 167

groups 167

link monitoring, high availability 174

link speed, increase of 166

Linux, SSH and 51

lists 32

Info icon 33

search in 33

live logs 31

load balancing, interfaces 100, 105, 167, 211

load balancing, servers 260

balancing rules 260

interface persistence 262

W AF servers 425, 427

weight distribution 262

load, system 39

reduction of 556

local logging 552thresholds of 552

localization, of system messages 83

lockfiles and backups 74

log files

archive of 527, 554

email 555

FTP server 554

SMB share 555

SSH server 555deletion of 527, 553

download of 527

live log 527

of SMTP 78, 573

of today 527reset of 53

search in 527-528

view of 527

log off 569

log partition

histogram of, utilization 525

status of 525

usage of 39, 104

logging 42, 525

accessed webpages 294

blocked webpages 294

local 552

thresholds of 552

notifications and 552-553

r emote 553

settings of 48, 552

time gaps 49

time settings 48

using syslog 553

login page

initial 22

standard 24, 28

login problems 569

logins, failed 144

loginuser

password of 53

logout 569

automatic 569

M

MAC address definitions

creation of 114

Info icon 114

Mail Log, section in User Portal 573

Mail Manager 368

cleanup of database log 375

configuration of 374statistics 373

UTM 9 WebAdmin 613

Index



Index

MailManager Window 369

deletion of emails 370

download of emails 370

false positives, report of 370global cleanup actions 371

opening of 373

POP3 quarantine 369

release of emails 370

restrictions of users 371

SMTP log 372-373

SMTP quarantine 369

SMTP spool 371

MailProtection SeeEmail Protection

MailQuarantineSee also emailquarantine

section in User Por tal 572

mail ser ver , internal 26, 315, 317

mailing lists 366

whitelisting of 366

maintenance levels, support 564

Management Inf ormation Base, SNMP 90

management workstation 15

management, central, of UTM 94

manager (user r ight) 56

manual, administrator 563

language of 564

masquerading 25, 244, 265

rules 245

Master (high availability node) 101-102, 104

MD5 (hashing algorithm) 470, 506

MD5 authentication, OSPF 202

memory

system requirements 16usage of 528

menu, WebAdmin 30

search box 31

mesh networks 408

message digest keys, OSPF 202

MGEUPS Systems (manufacturer) 16

MIB See Management Information Base,

SNMP

Microsoft Active Directory See Active Dir-ectory

MIME Type (Web Filter message) 85

MIME types

Blacklist 337

blocking of 282-283, 302deactivation of 293

filtering of 319, 337

of PAC file 304

Whitelist 337

Modem (PPP) (interface type) 150, 163

MTU 165

monitoring

of link status, high availability 174

of network 90

of nodes, high availability 101

of r equests, web application firewall 430

of systems 94

of uplink 186

MSCHAPv2 (authentication protocol) 498

MSP licensing 65

MTU

3G/UMTS 152

DSL (PPPoA/PPTP) 162

DSL (PPPoE) 160

Ethernet DHCP 158

Ethernet Static 154

Ethernet VLAN 156

Modem (PPP) 165

multicast groups 112, 214

prefixes 214

multicast routing 212

activation of 212

deactivation of 213debug information 216

firewall rules, automatic 216

interfaces 213

IP address range 212

live log 213

rendezvous point routers 214

routes 214

settings, advanced 215

shortest path 215multicast, high availability 101

614 UTM 9 WebAdmin



multilink, DSL (PPPoE) 161

multipath rules, uplink balancing 171

MyUTM Portal 61, 66, 565

N

NAS identifiers, RADIUS 134-135

NAT 165, 244

1 to 1 NAT 245, 247

DNAT 245

firewall and 237

firewall rules, automatic 248

FullNAT 247

masquerading 244rules 246

SNAT 245

NAT traversal 470-471, 481, 507-508, 514

neighbor routers, BGP 206

netmask 112

netstat 567

network activities 525

network cards 16, 19

bit rate 40


flow monitor 40, 43

heart-beat capable 16, 102

internal 19

name of 40

r ecognition of 147

Softwar e Appliance and 147

sequence of 21

statusof 40

SysIDs 154, 157network def initions


bind to interface 113

creation of 110

DNSgroups 112

DNShosts 112

hosts 111

Info icon 110

Internet 110multicast groups 112

networkgroups 113

types of 111

network groups 113

of name "Uplink Primary Addresses" 169network interfaces See interfaces

network mask Seenetmask

network monitoring 90

uplink monitoring 186

Network Protection 233-234, 236-238, 240-

245, 249-268

Advanced Threat Protection 40, 249


exceptions 238exceptions in 256

firewall 233

generic proxy 265

ICMP 240

IDENT reverse proxy 267

intrusion prevention 250, 255

NAT 244-245



SOCKS proxy 266

statistics 233

subscription 67

network services 217

DNS 217

NTP 232

network statistics 567

overview of 147

network usage, reporting 101, 529-530

network visibility, application control 40, 307networks 109

definition of 109

external 147

never blocked 144

RED SeeRED Management

static 110

wireless Seewireless networks

news, Sophos News Feed 42

NIC bonding See link aggregation

UTM 9 WebAdmin 615

Index



Index

nodes, high availability 100, 102

dead 101

IDs of 102

Master 102, 104monitoring of 101

reboot of 103

removalof 103

shutdown of 103

Slave 103

statusof 103

system status 103

version of 103

Wor ker 103

non-compliant, devices 98

non-compliant, users 98

notifications 48, 81-82, 523

byemail 81-82

codes of 81

device-specific text 82

license and 68

limiting of 81

logging and 552-553

recipients 81

smarthosts and 82

SNMP trap 81-82

typesof 82

Novell eDir ectory SeeeDirectory

NTLMv2 support 136

NTP 232

NTP server s 48, 50, 232

testingof 50

O

object identif ier, SNMP traps 92

object lists 37

keyboard shortcuts 57

OID, SNMP traps 92

one-time passwords 138

settings of 139, 142

user configuration 579

User Por tal 79, 571, 579one-time token 138

online help, update of 68

Open Source software, installation of 20

OpenPGP encryption 352, 357

keyservers 352public keys 357

Operating Instructions 15

operating status, system 39

operation modes

bridge mode 22

routing mode 22

organizational information, system 48

OSPF 196, 198

activation of 198

ar eas 199

deactivation of 199


interfaces 201

live log 201-202

MD5 authentication 202

message digest keys 202

settings, advanced 203

Outlook 364

add-in 364

Outlook Anywhere

web application firewall, passing of 430


P

PAC files 303

example of 304

MIME type of 304

packet flow 22packet loss 241, 565

packets

dropped 39, 233

dropping of 250-251

rejected 39

pagination, tables 58

par ent proxies

as Up2Date cache 71-72, 95

authentication at 72, 331SMTP proxy and 331

616 UTM 9 WebAdmin



Web Filter and 285, 292

partition usage 528

log partition 529

root partition 39, 104, 529storage partition 529

Partner Portal, Sophos NSG 565

password 97

for shell 52

of administrator 24, 53

setting of 23

of loginuser 53

setting of 52

ofroot 53

setting of 52

of users

change of 79, 582

setting of 119

of WebAdmin 24

reset of 52-53

password complexity 52, 144

password guessing 144

pattern updates 68

download of 70-71


online help 68

patternversion 39, 70

PCI ID 21

PDF (for mat)

download of reporting data in 532, 534-

535, 537, 540, 544, 546, 549-550

peer routers SeeBorder Gateway Protocol,

neighbor routersPEM (file format) 356, 489

pending access points 397, 402-403

pie charts, reporting 526

PIM-SM Seemulticast routing

ping 565

settings of 241

ping check 21, 565

availability group 113

server load balancing 261PKCS#12 container (file format) 489

PMTU 475

policy routes 195-196

poll 99

POP3 accounts 78POP3 Accounts, section in User Portal 574

POP3 Message Blocked (POP3 proxy mes-

sage) 89

POP3 messages, customization of 84

POP3 proxy 26, 338

activation of 339

antispam engine 341

blacklisting of email addresses 78, 342,

575expression filter 342

spam filter 341

spam marker 341

whitelisting of email addresses 78, 364,

575

antivirus engine 340

email encryption 350

encrypted emails 340


unscannable emails 340

charsets 347


deletion of emails 339, 346

exceptions 342

f ile extension filter 340

live log 340

messages of, customization 89

por t number 338

prefetching 345, 364Quarantine Report 366

server s 344

skiplist, transparent mode 343

status of 40

timeout settings of client 339

TLS 347

POP3 quarantine Seeemailquarantine

POP3 servers

allowed 78definition of 344

UTM 9 WebAdmin 617

Index



Index

TLS 344

port forwarder Seegeneric proxy

port number

of Active Directory 129of eDirectory 127

of LDAP 132

of POP3 proxy 338

of Quarantine Report 368

of RADIUS 134, 397

of SSH 52

of SUM communication 96

of SUM Gateway Manager 96

of SUM WebAdmin 96

of TACACS+ 136

of User Por tal 80

of Web Admin 22

port trunking See link aggregation

portscan detection, intrusion prevention 255

activation of 255

PPTP 498-500

activation of 498




DNAT and 246

domain name 523

encryption 500

iOS configuration 500

live log 500

preferences

of user 57

prefetching, authenticationgroups 145

interval of 145

time of 145

with Active Directory 145

with eDirectory 145

prefetching, POP3 proxy 345, 364

prefix advertisements, IPv6 191

DHCP leases and 228

preinstalled software 15preinstalled system 15

problems, after installation 21

process list, support 567

processor 19

system requirements 16profiles, SMTP proxy 334-338

global settings 338

profiles, Web Filter 286

filter actions 279, 282-284, 291

parent proxies 292

policy test 306

protocols

AH 469, 506

ESP 469, 506

IPsec 465

LD AP 131

MSCHAPv2 498

NTP 232

ofrouting 196

RADIUS 133

syslog 553

TACACS+ 135

proxies

FTP 311

generic proxy 265

HTTP/S 270

IDENT reverse 267

POP3 338

reverse proxy Seeweb application firewall

SMTP 315

SOCKS 266

Web Filter 270

proxy ARP (function)with Ethernet Static 154

with Ethernet VLAN 156

proxy server, government-approved Seepar-

ent proxies

ps (support tool) 567

public keys, OpenPGP 357

public keys, S/MIME 354-355

public keys, SSH DSA 555

618 UTM 9 WebAdmin



Q

QoS SeeQuality of Service

Quality of Service 177, 185activation of 177

bandwidth pools 183

download throttling 184

ECN 186

interfaces 177

status of 177

traffic selectors 179

Quarantine Report 78, 119, 364-368, 575

activation of 365customization of 84

deliver y time 365

exceptions 366

false positives 364

hostname of 367

HTML and 366

mailing lists 366

message text, customization of 366

port number 368

release of emails 364-365


restrictionsof users 368

report, additional 365

skiplist 366

whitelisting 364

quarantine status messages

customization of 84

quarantined emails 77

deletion of 370fr om server 346

download of 370

false positives 364

r eport of 370

release of 78, 364-365, 370, 572


restr ictionsof users 368, 371, 573

Quick Start Guide Hardware 15

R

RADIUS 124-125, 133

backend servers 133, 397NAS identifiers 134-135

port number 134, 397

protocolof 133

shared secret 134

RAID

controllers 17

display on Dashboard 17

support for 17

RAMsystem requirements 16

usage of 39, 104

RBLs 322, 336

extra 336

RDNS entries, missing 324, 336

readonly (user role) 55

real webservers 425, 429-430

manual addition 429

matching virtual webservers 427

Realtime Blackhole Lists SeeRBLs

reboot, system

af ter installation 21

manual 108

recipient verification, SMTP proxy 317, 325,

335

recipients

of emails Seeemailrecipients

of notifications 81

recommended r eading 15RED appliances 447

automatic deauthorization 449

bridging of 461

configuration of 447-448, 450-451, 453,

458, 460

deletion of 460

deployment helper 450, 460-462

DHCP servers 460-461

live log 448operation modes 453, 460-462

UTM 9 WebAdmin 619

Index



Index

unlock code 451, 458

uplink modes 452, 462

VLAN 454

RED hub 448, 450configuration of 448

RED Management 447-450, 453, 458, 460-

462

activation of 448

deployment helper 450, 460-462

failover uplink 457

live log 448

routing 447

settings, global 448setup of 447

overview of 448

statusof 40

UTM as client 450, 462

UTMas host 450

RED Provisioning Service 449, 458

RED, balancing 459

redundancy, computer networks 100, 105,

166

regular expressions 33

Relative Distinguished Name 129

relays, DHCP 225

relays, email 329-331

antivirus scanning 330

authentication 330

blacklisting of 330

host-based 330

upstr eam hosts 329

remote access 493certificates for 23, 118

Cisco VPN client 520

clientless SSL VPN 516

configuration files for users 493, 580

DNS servers 522

domain name 522

HTML5 VPN Portal 516

IPsec 505

L2TP over IPsec 501, 505PPTP 498-500

reporting data of 558


section in User Portal 79

SSL VPN 494-495static IP address for users 120

status of 40, 493

WINS servers 522

Remote Access, section in User Portal 580

Remote Ethernet Device SeeRED Man-

agement

remote log file archive 554

email 555

FTP server 554SMB share 555

SSH server 555

remote syslog server 553

rendezvous point routers, multicast

routing 214

repeater, wireless 409

repor ting 525

access points 548

accounting data 101

activation of 556

advanced threat protection 534

bandwidth usage 531

charts 526

deactivation of 556

email flow 545

Email Protection 545-547

email usage 545

emails, blocked 546

exceptions 559executive reports 551

firewall 532-533

hardware information 101, 528-529

intrusion prevention 532, 534

IPFIX 558-559

line charts 526

Networ k Protection 532-533

network traffic 529-530

networ k usage 101, 529-530pie charts 526

620 UTM 9 WebAdmin



Quarantine Report 364-368

remote access 548-549, 558

settings of 48, 556

time frames 556time gaps 49

time settings 48

web application firewall 549-550

Web Protection 535, 544-545


data acquisition 269

departments 542

scheduled reports 543

sear ch engine report 539

web usage 535

Webser ver Protection 549-550

Wireless Protection 547-548

reporting data

anonymization of 544-545, 547, 560

automatic deletion 556

deanonymization of 544-545, 547, 561

download of 532, 534-535, 537, 540, 544,

546, 549-550, 558


remote access 558

reset of 53

sending of 537, 540

request routing 219

resolve REF 568

resource usage 39, 100

restart, system 108

restor ation, backups 24, 27

return codes, HTTP/S 260rever se DNS 112

reverse pr oxy Seeweb application firewall

revocation lists 445, 487, 490, 523

rights, user 56

root DNS servers 218

root password 53

route flapping 196

route maps, BGP 208

routingautomatic 195

BGP 205

multicast routing 212

policy routes 195-196

request routing 219standard static routes 195

static routing 195

routing loops 196

routing mode 22

routing protocols 196

routing table 195-196, 567

RPS SeeRED Provisioning Service

RSA keys

and backups 73

site-to-site VPN IPsec 479-480

S

S/MIME encryption

authorities 354

certificates 356

automatic extraction 352

public keys 354-355

scanning Seeantivirus engine, scanning

scheduled reports 543

SCP servers 555

SCSI controllers 19

search box, of menu 30

keyboard shortcut 57

search engine report 539

Secure Copy, archiving method 555

Secure PDF Exchange Seeemail encryption,

SPX

Secure Shell 51, See also SSHsecurity cer tificate Seecertificates

security threats 39

identification of 525

security warning, web browser 22, 24, 56-57

self-signed certificate

of system 22

Sender Blacklist, section in User Portal 575

Sender Policy Framework Seeantispam

engine, SPF checkSender Whitelist, section in User Portal 575

UTM 9 WebAdmin 621

Index



Index

Server Error (Web Filter message) 86


balancing rules 260

interface persistence 262ping check 261


servers

DHCP 25, 223

DNS 217

for authentication 126

mail, internal 26

NTP 232

SCP 555

service definitions

change type of 117

creation of 115

Info icon of 115

of name "Web Surfing" 396

service groups 115-116

services

allowed by Web Filter 302

definition of 109, 115

network ser vices 217

types of 25

using AH 116

using ESP 116

using ICMP 116

using IP 116

using TCP 115

using UDP 115

sessions, WebAdmin, overview of 47

SHA-1 (hashing algorithm) 470, 507shell access 51

after password reset 53

setting passwords for 52-53

shutdown, system 53, 108

after factory r eset 53

logging thresholds and 553

signatures, intr usion prevention 40, 251

signing certificate authority 489

for VPN 491

Simple Network Management

Protocol SeeSNMP

Single Sign-On 136

of Active Directory 125, 136of eDirectory 137

SIP 263


site-to-site VPN 465

Amazon VPC 466

certificates for 23

IPsec 468

remote gateways 473-475

SSL 482-483, 485-486status of 40, 465

skiplist


FTPproxy 312, 314

POP3 proxy 343

Quarantine Report 366

Web Filter 303

Slave (high availability node) 101, 103

slot information, interfaces 150

smarthosts

notifications and 82

SMTP proxy 333

SMB share, as log file archive 555

smc 98

smc, ser ver 97

SMTP

data protection 326

SMTP domains 26

SMTP log 372-373in User Portal 573

SMTP proxy

activation of 316

antispam engine 321

BATV 325, 333, 336

blacklisting of email addresses 78, 323,

337, 575

expression filter 324, 338

greylisting 324, 336RBLs 322, 336

622 UTM 9 WebAdmin



spam filter 322, 337

spam marker 323

SPF check 325, 336

whitelisting of email addresses 78, 364,575

antivirus engine 318, 336

email footer 321

encrypted emails 319, 336

unscannable emails 319, 336

certificate authorities

fingerprint 355

confidentiality footer 332, 338

configur ation of 315data protection 338

DKIM 332

emailrelays 329-331

exceptions 328

file extension filter 320, 337

footer format 333

live log 316


messages of, customization 89

MIME

Blacklist 337

MIME type filter 319, 337

MIME type Whitelist 337

operation modes 315

profile 316

simple 316

tr ansparent 331

parent proxies 331

postmaster address 333pr ofiles 334, 338

BATV 336

blacklisting 337

confidentiality footer 338

expression filter 338

extension filter 337

global settings 338

MIME

type filter 337

RBLs 336

recipient verification 335

routing 335

scanning of emails 336spam filter 337

unscannable emails 336

recipient verification 317, 325, 335

restriction settings 333

routing 316, 335

smarthosts 333

SMTP hostname 333

SPX template 316, 338

statusof 40

TLS 331

whitelisting 337

SMTP quarantine Seeemailquarantine

SMTP r elay 26

SMTP spool 371

bouncing of emails 372

deletion of emails 372

delivery attempts, forced 371

download of emails 371

global cleanup actions 372

SMTP, email encryption 350

SNAT 245

f irewall and 237

masquerading 244

SNMP 90

agent 91

community string 91, 93

device information 92

error codes 92queries 90-91

tr aps 81, 90, 92

SOCKS proxy 266

bind requests 266

hostname resolution and 267

protocolversions 266

user authentication 266

software, preinstalled 15

Sophos' Portal SeeMyUTM PortalSophos Authentication Agent 123-124

UTM 9 WebAdmin 623

Index



Index

Sophos Knowledgebase 16-17, 27, 66, 88,

102, 155, 563-564

sophos mobile control 97

sophos mobile control, settings 99SophosNewsFeed 42

Sophos NSG Partner Portal 565

Sophos NSG Support Forum 27, 66

SophosRED Provisioning Service SeeRED

Provisioning Service

SophosUser Authentication 126

live log 126

Sophos UTM FTP ser ver 71

SophosUTM homepage 65, 151Sophos UTM improvement program 59

Sophos UTM Manager, status of 41

Sophos UTM portal 61

Sophos UTM Up2Date Blog 66, 563

Sophos UTM User Portal SeeUser Portal

source network address

translation SeeSNAT

spam emails, blocked 39

spam filter 322, 337, 341

spam marker 323, 341

Spanning Tree Protocol 176

SPF check, SMTP proxy 325, 336

split tunneling 495

SPX encryption

Outlook add-in 364

spyware See antispyware engine

SQL injections, protection from 425, 434

SSH 51

access control 51authentication methods 51

clients 51, 266

daemon listen port 52

Linuxand 51

port number 52

public keys 51

SSH DSA keys 555

backupsand 555

public 555SSH server, as log file archive 555

SSL

LDAP over 127, 129, 132

SSL certificates 494

identifiers of 125of users 125

SSL scanning

deactivation of 294

transparent proxy and 294

SSL VPN, clientless 516

SSL VPN, remote access 494-495

activation of 494

certificates 494


client software 494

configuration files for users 494

live log 495

profiles 494

settings of 495-496, 498

split tunneling 495

SSL VPN, site-to-site 485-487

configuration 483

of clients 484-485

of ser vers 483-484

connections 483-484

settingsof 485-487

status of 465

transparent Web Filter and SSL

scanning 482

SSO SeeSingle Sign-On

standard (Web Filter operation mode) 274,

287

standard static routes 195standard time 49

static mappings, DHCP 226

static mappings, DNS 219

static routing 195

statistic overview

of emails 315, 373

of network 147

of network protection events 233

of web surfing 269

624 UTM 9 WebAdmin



status

of log partition 525

operating, of system 26, 39

streaming content 305subnet 20

subscriptions, license 61

activation of 62

BasicGuard 65, 67

Email Protection 67

information on 67

Network Protection 67

Web Protection 67

Webserver Protection 67

Wireless Pr otection 67

SUM 94

connection status 96

health status 96

live log 96

server s 96

SUM Gateway Manager

port number 96

SUM objects 96

local copies 96

removal of 96

SUM server

as Up2Date cache 95

authentication at 95

privileges 95

rights 95

status of 41

SUM WebAdmin

port number 96SuperAdmins (user group) 120-121

suppor t 27, 563

configuration dump 567

contact information 89, 564

resolve REF 568

SophosNSG Partner Portal 565

support cases 565

Support Forum, SophosNSG 27, 66

suppor t levels 564support services 67, 564

support tools 565

DNS lookup 565-566

ip 567

netstat 567ping 565

ps 567

traceroute 565

Surf Protection (Web Filter message) 85

swap usage 104, 528

switches

high availability requirements 102

system requirements 16

symbols See icons, in WebAdmin

SYN flood protection 253

synchronization, Active Directory Group Mem-

bership 144

SysIDs, network cards 154, 157

syslog protocol 553

syslog server

buffer size 554

log selection 554

r emote 553

system

configuration of 40

reset of 53

organizational information 48

preinstalled 15

reboot of

after installation 21

manual 108

settingsof 15, 21, 25, 47

shutdown of 108after factory reset 53

status of 26

system ID, reset of 54

system load 39

reduction of 556

system messages

customization of 83


UTM 9 WebAdmin 625

Index



Index

T

table

of interfaces 567routing table 195-196, 567

tablesSee also lists

pagination of 58

sorting data 531, 533-535, 544, 546, 549-

550

TACACS+ 124, 135

backend servers 135

key for authentication/encryption 136

port number 136tags, VLAN 155

takeover, high availability 101, 174

Telnet, clients 266

templates

backup templates 75

web templates 88

terms of use, WebAdmin 58

TFTP, connection tracking helpers 242

threat status 39

time 48

certificates and 57

daylight saving time 49

NTP 232

NTP servers 48, 50

setting of 19

manual 48, 50

standard time 49

synchronization of 232

time gaps 49time-to-live 112

time period definitions 109, 117

creation of 117

filter assignments and 117

firewall rules and 117

Info icon 117

recurring events 117

single events 117

time zone 49certificates and 57

setting of 19, 50

timeout, authentication 303

timeout, WebAdmin 58

TLS, POP3 proxy 344, 347TLS, SMTP proxy 331

toggle switch, in WebAdmin 35

tools, support 565

DNS lookup 565-566

ip 567

netstat 567

ping 565

ps 567

traceroute 565

TOS bits 471, 508

tracer oute 565

settingsof 241

traffic monitor See flow monitor

traf fic selectors, Quality of Service 44, 179

assignment 185

transparent (SMTP proxy operation mode)

331

skiplist 331

transparent (Web Filter operation mode)

275, 288

full transparent 277, 290

skiplist 303

SSL scanning and 294

traps, SNMP 92

trial license 24

TTL See time-to-live

tunnel brokers, IPv6 193

types of services 25

U

UDP flood protection 254

UMTS (interface type) 149, 151

uninterruptible power supply 16

batteryoperation 16

notifications and 16

r ecognition of 17

status of 39, 104USB port 16

626 UTM 9 WebAdmin



Up2Date Blog, Sophos UTM 66, 563

Up2Date cache 71

parent proxies 71-72

Up2Date Information, Sophos UTM 66, 563Up2Dates 68

configuration of 71

connection problems 68

digital signature 68

download of 68, 70


implicit 70

manual upload 71

of firmware 70

of patterns 70

packages, reset of 53

schedulingof 70

system backup, automatic and 69

update servers 68

update servers 68

upgrades, of license 61


interface persistence 169

monitoring of 169

multipath rules 171


Uplink Interfaces (virtual interface) 169

uplink monitor ing 186

actions 187

activation of 186

automatic 188

deactivation of 186

Uplink Pr imaryAddresses(networkgroup)169

uplink, backup 167

uplink, Internet (connection type) 25

uploads, antivirus scanning 432

UPS See uninterruptible power supply

URL filter

blocked URLs 39

categories 297

deactivation of 294

URL hardening 431, 434

entryURLs 431

key for 438

Outlook Web Access 435secret of 439

URL rewriting, web application firewall 428

USB port, system requirements 16

user definitions 118

administrator privileges 120

backend synchronization 119

email addresses and 118

Info icon 118

User Portal 77, 571

access control to 79, 125

blacklisting of email addresses 78, 120, 575

certificate of 57

change of password 582

client authentication 78, 578

configuring one-time password 571, 579

cookiesof 80

email log 78, 573

email quarantine 78, 572

hostname of 80

hotspots 78, 576

HTML5 VPN Portal 79, 580

IPsec client installation instructions 509

L2TP client installation instructions 503

language of 80

listen address of 81

logout of 79

MailQuar antine 572

menu of 80one-time passwords 79

OTP tokens 79

POP3 accounts 78, 574

port number 80

PPTP client installation instructions 499

r elease of emails

restrictions of users 573

remote access 79, 516, 580

configuration files 493-494software 79

UTM 9 WebAdmin 627

Index



Index

SMTP log 78, 573

SSL client installation instructions 495

Web Application Firewalland 81

Web Filter CA certificate 79, 582welcome message 81

whitelisting of email addresses 78, 120,

575

user preferences 57

user rights 56

auditor 56

manager 56

user roles 55

auditor 55readonly 55

username 97

users 109, 118

authentication of 119

authorization of 134-135

automatic creation of 125

certificate of 120

cur rently logged in 31

disabling of 119

password

change of 79, 582

setting of 119

user groups 109, 118, 121

UTC 49

UTM ID, reset of 54

V

VDSL 159

verif ication certificate authority 490version 39

of firmware 39

of patterns 39

video content, filtering 319, 337

virtual inter faces 148, 166

MAC address changes 175

of name "Uplink Interfaces" 169

virtual LAN SeeVLAN

virtual webservers 425, 427, 429disabling compression support 427

HTML rewriting 427

matching real webservers 425, 427

URL rewriting 428

Virus Detected (Web Filter message) 85Virus Scan in Progress (Web Filter message)

86

virusesSee also antivirus engine

blocked 39

VLAN 155

RED appliances 454

switches, configuration of 148

tags 155, 405, 407

wireless networksactivation of 405, 407

IDs 405, 407

tagging 405

tags 405, 407

Voice over IP SeeVoIP

VoIP 263

H.323 264

SIP 263

vouchers, wireless hotspots

creation of 422

deletion of 423

in User Portal 78

vpn 99

VPN 465, 493, See also site-to-site VPN;

remote access

signing certificate authority 491

W

WAF Seeweb application firewall

warning message, at installation 21

web application firewall 425, 427, 429-430,

435-439, 442, 445

antivirus engine 432

authentication 439

authentication form templates 443

authentication profiles 439

certificate management 445

cookie signing 431, 438cross-site scripting filter 434

628 UTM 9 WebAdmin



exceptions 435-436

form hardening 432, 434, 439

HTML rewriting 427, 436

load balancing of servers 425monitoring of requests 430

Outlook Anywhere 430


profiles 430, 435

real webservers 425, 427, 429-430

rejection of requests 430


settings of 438-439

site path routing 437-438

SQL injection f ilter 434

status of 41

URL hardening 431, 434, 438-439

URL rewriting 428

virtual webservers 425, 427, 429

webserver protection 430, 433

web br owser

cer tificatesand 22

HTTPpr oxy configuration, automatic 225

Kerberos authentication support 136-137,

305

NTLMv2 suppor t 136

security war ning 22, 24, 56-57


Web Filter configuration, automatic 303

Web Filter 270

activation of 273

administrator infor mation 86

antivirus engine 283, 293authentication at 293, 303

Single Sign-On, use of 136

authentication modes 274, 277, 287, 290

Apple OpenDirectory SSO 305

blocking

download size 85, 293

encrypted files 302

file extensions 282, 293

MIME types 283, 293, 302spyware 280

unscannable files 302

URLs 294

website categories 26, 269, 280, 297

websites 280bypass users 296

CA certificate 79, 582

cache 293, 305

reset of 53

categorization parent proxy 304

certificate checks 294

Certificates 305

configuration of 273, 286

content removal 283, 294

deactivation of 273

DNS requests 303

download manager 87, 303

download size 293

exceptions 293-295, 302

standard mode and 294

Filtering Options 293

live log 277

logging 535

accessed pages 284, 294

blocked pages 284, 294

loopback detection 302

maximum scanning size 283

messages 48

customization of 84

modification of 84

operation modes 274, 287

full transparent 277, 290

standard 274, 287, 294transparent 275, 288

transparent with authentication 86

par ent proxies 285, 292

policies 278

testing of 306

policy test 306

port number 302

profiles 286

filter actions 279, 282-284, 291SafeSearch 284

UTM 9 WebAdmin 629

Index



Index

skiplist, transparent mode 303

SSL scanning 294

statusof 40

streaming content 305target services 302

URLs, invalid 536

warning

file extensions 282

MIME types 282

web browser configuration, automatic 225,

303

website categorization 297

websites 296webmessages 84

administrator information 86

Application Control 85

Blacklist 85

Bypass Content Block 86

Download Complete 86

Download in Progress 85

emailaddress 86

File Extension 85

File Size 85

MIME Type 85

modification of 86

Server Error 86

Surf Protection 85

Transparent Mode Authentication 86

Virus Detected 85

Virus Scan in Progress 86

Web Protection 41, 269-270, 273, 276, 278-

279, 282-284, 286, 289, 291-296, 298-306, 311-314

application contr ol 307

downloads 294

policy test 306

reporting of 535, 544-545

settings of 26

statistics 269

status of 269

subscr iption 67

web surfing 269

data acquisition 269

Web Surfing (service definition) 396

web templates 88customization of 88

upload of 89

web usage, reporting 535

WebAdmin 15, 29

access control to 54-55

administrators 24, 55

browser tab title 58

button bar of 31

buttonsin 35

certificate of 23, 57


configuration, overview 564

Dashboard 30, 39

dialog boxes in 34

iconsin 35

keyboard shortcuts 57

language of 54

lists in 32

logging of access traffic 55

menu of 30

object lists 37

password for 24

port number 22, 58

protocolof 22

sessions, overview 47

settings of 54

monitoring of changes 47

terms of use 58timeout of 58

user roles 55

versionof 39

webserver attacks, blocked 40

Webserver Protection 425, 427, 429-430,

435-439, 442-443, 445

authentication 439

authentication form templates 443

authentication profiles 439reporting of 550

630 UTM 9 WebAdmin

